CodeQL full CWE coverage¶
An overview of the full coverage of MITRE’s Common Weakness Enumeration (CWE) for the latest release of CodeQL.
Overview¶
CWE | Language | Query id | Query name |
---|---|---|---|
CWE‑11 | C# | cs/web/debug-binary | Creating an ASP.NET debug binary may reveal sensitive information |
CWE‑12 | C# | cs/web/missing-global-error-handler | Missing global error handler |
CWE‑13 | C# | cs/password-in-configuration | Password in configuration file |
CWE‑14 | C++ | cpp/memset-may-be-deleted | Call to memset may be deleted |
CWE‑20 | C++ | cpp/count-untrusted-data-external-api | Frequency counts for external APIs that are used with untrusted data |
CWE‑20 | C++ | cpp/count-untrusted-data-external-api-ir | Frequency counts for external APIs that are used with untrusted data |
CWE‑20 | C++ | cpp/untrusted-data-to-external-api-ir | Untrusted data passed to external API |
CWE‑20 | C++ | cpp/untrusted-data-to-external-api | Untrusted data passed to external API |
CWE‑20 | C++ | cpp/uncontrolled-process-operation | Uncontrolled process operation |
CWE‑20 | C++ | cpp/unclear-array-index-validation | Unclear validation of array index |
CWE‑20 | C++ | cpp/uncontrolled-allocation-size | Overflow in uncontrolled allocation size |
CWE‑20 | C++ | cpp/late-check-of-function-argument | Late Check Of Function Argument |
CWE‑20 | C++ | cpp/linux-kernel-no-check-before-unsafe-put-user | Linux kernel no check before unsafe_put_user vulnerability detection |
CWE‑20 | C# | cs/count-untrusted-data-external-api | Frequency counts for external APIs that are used with untrusted data |
CWE‑20 | C# | cs/serialization-check-bypass | Serialization check bypass |
CWE‑20 | C# | cs/untrusted-data-to-external-api | Untrusted data passed to external API |
CWE‑20 | C# | cs/xml/missing-validation | Missing XML validation |
CWE‑20 | C# | cs/assembly-path-injection | Assembly path injection |
CWE‑20 | Go | go/count-untrusted-data-external-api | Frequency counts for external APIs that are used with untrusted data |
CWE‑20 | Go | go/incomplete-hostname-regexp | Incomplete regular expression for hostnames |
CWE‑20 | Go | go/incomplete-url-scheme-check | Incomplete URL scheme check |
CWE‑20 | Go | go/regex/missing-regexp-anchor | Missing regular expression anchor |
CWE‑20 | Go | go/suspicious-character-in-regex | Suspicious characters in a regular expression |
CWE‑20 | Go | go/untrusted-data-to-external-api | Untrusted data passed to external API |
CWE‑20 | Go | go/untrusted-data-to-unknown-external-api | Untrusted data passed to unknown external API |
CWE‑20 | Java | java/count-untrusted-data-external-api | Frequency counts for external APIs that are used with untrusted data |
CWE‑20 | Java | java/overly-large-range | Overly permissive regular expression range |
CWE‑20 | Java | java/untrusted-data-to-external-api | Untrusted data passed to external API |
CWE‑20 | Java | java/improper-validation-of-array-construction | Improper validation of user-provided size used for array construction |
CWE‑20 | Java | java/improper-validation-of-array-construction-code-specified | Improper validation of code-specified size used for array construction |
CWE‑20 | Java | java/improper-validation-of-array-construction-local | Improper validation of local user-provided size used for array construction |
CWE‑20 | Java | java/improper-validation-of-array-index | Improper validation of user-provided array index |
CWE‑20 | Java | java/improper-validation-of-array-index-code-specified | Improper validation of code-specified array index |
CWE‑20 | Java | java/improper-validation-of-array-index-local | Improper validation of local user-provided array index |
CWE‑20 | Java | java/log4j-injection | Potential Log4J LDAP JNDI injection (CVE-2021-44228) |
CWE‑20 | JavaScript | js/count-untrusted-data-external-api | Frequency counts for external APIs that are used with untrusted data |
CWE‑20 | JavaScript | js/incomplete-hostname-regexp | Incomplete regular expression for hostnames |
CWE‑20 | JavaScript | js/incomplete-url-scheme-check | Incomplete URL scheme check |
CWE‑20 | JavaScript | js/incomplete-url-substring-sanitization | Incomplete URL substring sanitization |
CWE‑20 | JavaScript | js/incorrect-suffix-check | Incorrect suffix check |
CWE‑20 | JavaScript | js/missing-origin-check | Missing origin verification in postMessage handler |
CWE‑20 | JavaScript | js/regex/missing-regexp-anchor | Missing regular expression anchor |
CWE‑20 | JavaScript | js/overly-large-range | Overly permissive regular expression range |
CWE‑20 | JavaScript | js/untrusted-data-to-external-api | Untrusted data passed to external API |
CWE‑20 | JavaScript | js/useless-regexp-character-escape | Useless regular-expression character escape |
CWE‑20 | JavaScript | js/bad-tag-filter | Bad HTML filtering regexp |
CWE‑20 | JavaScript | js/double-escaping | Double escaping or unescaping |
CWE‑20 | JavaScript | js/incomplete-html-attribute-sanitization | Incomplete HTML attribute sanitization |
CWE‑20 | JavaScript | js/incomplete-multi-character-sanitization | Incomplete multi-character sanitization |
CWE‑20 | JavaScript | js/incomplete-sanitization | Incomplete string escaping or encoding |
CWE‑20 | JavaScript | js/untrusted-data-to-external-api-more-sources | Untrusted data passed to external API with additional heuristic sources |
CWE‑20 | Python | py/count-untrusted-data-external-api | Frequency counts for external APIs that are used with untrusted data |
CWE‑20 | Python | py/untrusted-data-to-external-api | Untrusted data passed to external API |
CWE‑20 | Python | py/incomplete-hostname-regexp | Incomplete regular expression for hostnames |
CWE‑20 | Python | py/incomplete-url-substring-sanitization | Incomplete URL substring sanitization |
CWE‑20 | Python | py/overly-large-range | Overly permissive regular expression range |
CWE‑20 | Python | py/bad-tag-filter | Bad HTML filtering regexp |
CWE‑20 | Ruby | rb/incomplete-hostname-regexp | Incomplete regular expression for hostnames |
CWE‑20 | Ruby | rb/incomplete-url-substring-sanitization | Incomplete URL substring sanitization |
CWE‑20 | Ruby | rb/regex/badly-anchored-regexp | Badly anchored regular expression |
CWE‑20 | Ruby | rb/regex/missing-regexp-anchor | Missing regular expression anchor |
CWE‑20 | Ruby | rb/overly-large-range | Overly permissive regular expression range |
CWE‑20 | Ruby | rb/bad-tag-filter | Bad HTML filtering regexp |
CWE‑20 | Ruby | rb/incomplete-multi-character-sanitization | Incomplete multi-character sanitization |
CWE‑20 | Ruby | rb/incomplete-sanitization | Incomplete string escaping or encoding |
CWE‑20 | Swift | swift/incomplete-hostname-regexp | Incomplete regular expression for hostnames |
CWE‑20 | Swift | swift/bad-tag-filter | Bad HTML filtering regexp |
CWE‑22 | C++ | cpp/path-injection | Uncontrolled data used in path expression |
CWE‑22 | C# | cs/path-injection | Uncontrolled data used in path expression |
CWE‑22 | C# | cs/zipslip | Arbitrary file access during archive extraction ("Zip Slip") |
CWE‑22 | C# | cs/webclient-path-injection | Uncontrolled data used in a WebClient |
CWE‑22 | Go | go/path-injection | Uncontrolled data used in path expression |
CWE‑22 | Go | go/unsafe-unzip-symlink | Arbitrary file write extracting an archive containing symbolic links |
CWE‑22 | Go | go/zipslip | Arbitrary file access during archive extraction ("Zip Slip") |
CWE‑22 | Java | java/path-injection | Uncontrolled data used in path expression |
CWE‑22 | Java | java/path-injection-local | Local-user-controlled data in path expression |
CWE‑22 | Java | java/zipslip | Arbitrary file access during archive extraction ("Zip Slip") |
CWE‑22 | Java | java/partial-path-traversal | Partial path traversal vulnerability |
CWE‑22 | Java | java/partial-path-traversal-from-remote | Partial path traversal vulnerability from remote |
CWE‑22 | Java | java/openstream-called-on-tainted-url | openStream called on URLs created from remote source |
CWE‑22 | JavaScript | js/path-injection | Uncontrolled data used in path expression |
CWE‑22 | JavaScript | js/zipslip | Arbitrary file access during archive extraction ("Zip Slip") |
CWE‑22 | Python | py/path-injection | Uncontrolled data used in path expression |
CWE‑22 | Python | py/tarslip | Arbitrary file write during tarfile extraction |
CWE‑22 | Python | py/zipslip | Arbitrary file access during archive extraction ("Zip Slip") |
CWE‑22 | Python | py/tarslip-extended | Arbitrary file write during tarfile extraction |
CWE‑22 | Python | py/unsafe-unpacking | Arbitrary file write during a tarball extraction from a user controlled source |
CWE‑22 | Ruby | rb/zip-slip | Arbitrary file access during archive extraction ("Zip Slip") |
CWE‑22 | Ruby | rb/path-injection | Uncontrolled data used in path expression |
CWE‑22 | Swift | swift/path-injection | Uncontrolled data used in path expression |
CWE‑23 | C++ | cpp/path-injection | Uncontrolled data used in path expression |
CWE‑23 | C# | cs/path-injection | Uncontrolled data used in path expression |
CWE‑23 | C# | cs/webclient-path-injection | Uncontrolled data used in a WebClient |
CWE‑23 | Go | go/path-injection | Uncontrolled data used in path expression |
CWE‑23 | Java | java/path-injection | Uncontrolled data used in path expression |
CWE‑23 | Java | java/path-injection-local | Local-user-controlled data in path expression |
CWE‑23 | Java | java/partial-path-traversal | Partial path traversal vulnerability |
CWE‑23 | Java | java/partial-path-traversal-from-remote | Partial path traversal vulnerability from remote |
CWE‑23 | JavaScript | js/path-injection | Uncontrolled data used in path expression |
CWE‑23 | Python | py/path-injection | Uncontrolled data used in path expression |
CWE‑23 | Ruby | rb/path-injection | Uncontrolled data used in path expression |
CWE‑23 | Swift | swift/path-injection | Uncontrolled data used in path expression |
CWE‑36 | C++ | cpp/path-injection | Uncontrolled data used in path expression |
CWE‑36 | C# | cs/path-injection | Uncontrolled data used in path expression |
CWE‑36 | C# | cs/webclient-path-injection | Uncontrolled data used in a WebClient |
CWE‑36 | Go | go/path-injection | Uncontrolled data used in path expression |
CWE‑36 | Java | java/path-injection | Uncontrolled data used in path expression |
CWE‑36 | Java | java/path-injection-local | Local-user-controlled data in path expression |
CWE‑36 | Java | java/openstream-called-on-tainted-url | openStream called on URLs created from remote source |
CWE‑36 | JavaScript | js/path-injection | Uncontrolled data used in path expression |
CWE‑36 | Python | py/path-injection | Uncontrolled data used in path expression |
CWE‑36 | Ruby | rb/path-injection | Uncontrolled data used in path expression |
CWE‑36 | Swift | swift/path-injection | Uncontrolled data used in path expression |
CWE‑73 | C++ | cpp/path-injection | Uncontrolled data used in path expression |
CWE‑73 | C# | cs/path-injection | Uncontrolled data used in path expression |
CWE‑73 | C# | cs/webclient-path-injection | Uncontrolled data used in a WebClient |
CWE‑73 | Go | go/path-injection | Uncontrolled data used in path expression |
CWE‑73 | Java | java/path-injection | Uncontrolled data used in path expression |
CWE‑73 | Java | java/path-injection-local | Local-user-controlled data in path expression |
CWE‑73 | JavaScript | js/path-injection | Uncontrolled data used in path expression |
CWE‑73 | JavaScript | js/template-object-injection | Template Object Injection |
CWE‑73 | Python | py/path-injection | Uncontrolled data used in path expression |
CWE‑73 | Python | py/shell-command-constructed-from-input | Unsafe shell command constructed from library input |
CWE‑73 | Ruby | rb/path-injection | Uncontrolled data used in path expression |
CWE‑73 | Ruby | rb/kernel-open | Use of Kernel.open , IO.read or similar sinks with user-controlled input |
CWE‑73 | Ruby | rb/non-constant-kernel-open | Use of Kernel.open or IO.read or similar sinks with a non-constant value |
CWE‑73 | Ruby | rb/shell-command-constructed-from-input | Unsafe shell command constructed from library input |
CWE‑73 | Swift | swift/path-injection | Uncontrolled data used in path expression |
CWE‑74 | C++ | cpp/non-constant-format | Non-constant format string |
CWE‑74 | C++ | cpp/command-line-injection | Uncontrolled data used in OS command |
CWE‑74 | C++ | cpp/cgi-xss | CGI script vulnerable to cross-site scripting |
CWE‑74 | C++ | cpp/sql-injection | Uncontrolled data in SQL query |
CWE‑74 | C++ | cpp/tainted-format-string | Uncontrolled format string |
CWE‑74 | C++ | cpp/tainted-format-string-through-global | Uncontrolled format string (through global variable) |
CWE‑74 | C++ | cpp/wordexp-injection | Uncontrolled data used in wordexp command |
CWE‑74 | C# | cs/path-injection | Uncontrolled data used in path expression |
CWE‑74 | C# | cs/command-line-injection | Uncontrolled command line |
CWE‑74 | C# | cs/stored-command-line-injection | Uncontrolled command line from stored user input |
CWE‑74 | C# | cs/web/stored-xss | Stored cross-site scripting |
CWE‑74 | C# | cs/web/xss | Cross-site scripting |
CWE‑74 | C# | cs/second-order-sql-injection | SQL query built from stored user-controlled sources |
CWE‑74 | C# | cs/sql-injection | SQL query built from user-controlled sources |
CWE‑74 | C# | cs/ldap-injection | LDAP query built from user-controlled sources |
CWE‑74 | C# | cs/stored-ldap-injection | LDAP query built from stored user-controlled sources |
CWE‑74 | C# | cs/xml-injection | XML injection |
CWE‑74 | C# | cs/code-injection | Improper control of generation of code |
CWE‑74 | C# | cs/resource-injection | Resource injection |
CWE‑74 | C# | cs/uncontrolled-format-string | Uncontrolled format string |
CWE‑74 | C# | cs/xml/stored-xpath-injection | Stored XPath injection |
CWE‑74 | C# | cs/xml/xpath-injection | XPath injection |
CWE‑74 | C# | cs/web/disabled-header-checking | Header checking disabled |
CWE‑74 | C# | cs/webclient-path-injection | Uncontrolled data used in a WebClient |
CWE‑74 | Go | go/path-injection | Uncontrolled data used in path expression |
CWE‑74 | Go | go/command-injection | Command built from user-controlled sources |
CWE‑74 | Go | go/stored-command | Command built from stored data |
CWE‑74 | Go | go/reflected-xss | Reflected cross-site scripting |
CWE‑74 | Go | go/stored-xss | Stored cross-site scripting |
CWE‑74 | Go | go/sql-injection | Database query built from user-controlled sources |
CWE‑74 | Go | go/unsafe-quoting | Potentially unsafe quoting |
CWE‑74 | Go | go/xml/xpath-injection | XPath injection |
CWE‑74 | Go | go/ldap-injection | LDAP query built from user-controlled sources |
CWE‑74 | Go | go/dsn-injection | SQL Data-source URI built from user-controlled sources |
CWE‑74 | Go | go/dsn-injection-local | SQL Data-source URI built from local user-controlled sources |
CWE‑74 | Go | go/html-template-escaping-passthrough | HTML template escaping passthrough |
CWE‑74 | Java | java/jndi-injection | JNDI lookup with user-controlled name |
CWE‑74 | Java | java/xslt-injection | XSLT transformation with user-controlled stylesheet |
CWE‑74 | Java | java/relative-path-command | Executing a command with a relative path |
CWE‑74 | Java | java/command-line-injection | Uncontrolled command line |
CWE‑74 | Java | java/command-line-injection-local | Local-user-controlled command line |
CWE‑74 | Java | java/concatenated-command-line | Building a command line with string concatenation |
CWE‑74 | Java | java/android/webview-addjavascriptinterface | Access Java object methods through JavaScript exposure |
CWE‑74 | Java | java/android/websettings-javascript-enabled | Android WebView JavaScript settings |
CWE‑74 | Java | java/xss | Cross-site scripting |
CWE‑74 | Java | java/xss-local | Cross-site scripting from local source |
CWE‑74 | Java | java/concatenated-sql-query | Query built by concatenation with a possibly-untrusted string |
CWE‑74 | Java | java/sql-injection | Query built from user-controlled sources |
CWE‑74 | Java | java/sql-injection-local | Query built from local-user-controlled sources |
CWE‑74 | Java | java/ldap-injection | LDAP query built from user-controlled sources |
CWE‑74 | Java | java/android/arbitrary-apk-installation | Android APK installation |
CWE‑74 | Java | java/groovy-injection | Groovy Language injection |
CWE‑74 | Java | java/insecure-bean-validation | Insecure Bean Validation |
CWE‑74 | Java | java/jexl-expression-injection | Expression language injection (JEXL) |
CWE‑74 | Java | java/mvel-expression-injection | Expression language injection (MVEL) |
CWE‑74 | Java | java/spel-expression-injection | Expression language injection (Spring) |
CWE‑74 | Java | java/server-side-template-injection | Server-side template injection |
CWE‑74 | Java | java/netty-http-request-or-response-splitting | Disabled Netty HTTP header validation |
CWE‑74 | Java | java/http-response-splitting | HTTP response splitting |
CWE‑74 | Java | java/http-response-splitting-local | HTTP response splitting from local source |
CWE‑74 | Java | java/tainted-format-string | Use of externally-controlled format string |
CWE‑74 | Java | java/tainted-format-string-local | Use of externally-controlled format string from local source |
CWE‑74 | Java | java/xml/xpath-injection | XPath injection |
CWE‑74 | Java | java/android/unsafe-android-webview-fetch | Unsafe resource fetching in Android WebView |
CWE‑74 | Java | java/ognl-injection | OGNL Expression Language statement with user-controlled input |
CWE‑74 | Java | java/log4j-injection | Potential Log4J LDAP JNDI injection (CVE-2021-44228) |
CWE‑74 | Java | java/command-line-injection-extra | Command Injection into Runtime.exec() with dangerous command |
CWE‑74 | Java | java/command-line-injection-extra-local | Command Injection into Runtime.exec() with dangerous command |
CWE‑74 | Java | java/command-line-injection-experimental | Uncontrolled command line (experimental sinks) |
CWE‑74 | Java | java/mybatis-annotation-sql-injection | SQL injection in MyBatis annotation |
CWE‑74 | Java | java/mybatis-xml-sql-injection | SQL injection in MyBatis Mapper XML |
CWE‑74 | Java | java/beanshell-injection | BeanShell injection |
CWE‑74 | Java | java/android-insecure-dex-loading | Insecure loading of an Android Dex File |
CWE‑74 | Java | java/jshell-injection | JShell injection |
CWE‑74 | Java | java/javaee-expression-injection | Jakarta Expression Language injection |
CWE‑74 | Java | java/jython-injection | Injection in Jython |
CWE‑74 | Java | java/unsafe-eval | Injection in Java Script Engine |
CWE‑74 | Java | java/spring-view-manipulation-implicit | Spring Implicit View Manipulation |
CWE‑74 | Java | java/spring-view-manipulation | Spring View Manipulation |
CWE‑74 | Java | java/xquery-injection | XQuery query built from user-controlled sources |
CWE‑74 | JavaScript | js/disabling-electron-websecurity | Disabling Electron webSecurity |
CWE‑74 | JavaScript | js/enabling-electron-renderer-node-integration | Enabling Node.js integration for Electron web content renderers |
CWE‑74 | JavaScript | js/path-injection | Uncontrolled data used in path expression |
CWE‑74 | JavaScript | js/template-object-injection | Template Object Injection |
CWE‑74 | JavaScript | js/command-line-injection | Uncontrolled command line |
CWE‑74 | JavaScript | js/indirect-command-line-injection | Indirect uncontrolled command line |
CWE‑74 | JavaScript | js/second-order-command-line-injection | Second order command injection |
CWE‑74 | JavaScript | js/shell-command-injection-from-environment | Shell command built from environment values |
CWE‑74 | JavaScript | js/shell-command-constructed-from-input | Unsafe shell command constructed from library input |
CWE‑74 | JavaScript | js/unnecessary-use-of-cat | Unnecessary use of cat process |
CWE‑74 | JavaScript | js/xss-through-exception | Exception text reinterpreted as HTML |
CWE‑74 | JavaScript | js/reflected-xss | Reflected cross-site scripting |
CWE‑74 | JavaScript | js/stored-xss | Stored cross-site scripting |
CWE‑74 | JavaScript | js/html-constructed-from-input | Unsafe HTML constructed from library input |
CWE‑74 | JavaScript | js/unsafe-jquery-plugin | Unsafe jQuery plugin |
CWE‑74 | JavaScript | js/xss | Client-side cross-site scripting |
CWE‑74 | JavaScript | js/xss-through-dom | DOM text reinterpreted as HTML |
CWE‑74 | JavaScript | js/sql-injection | Database query built from user-controlled sources |
CWE‑74 | JavaScript | js/code-injection | Code injection |
CWE‑74 | JavaScript | js/actions/command-injection | Expression injection in Actions |
CWE‑74 | JavaScript | js/bad-code-sanitization | Improper code sanitization |
CWE‑74 | JavaScript | js/unsafe-code-construction | Unsafe code constructed from library input |
CWE‑74 | JavaScript | js/unsafe-dynamic-method-access | Unsafe dynamic method access |
CWE‑74 | JavaScript | js/bad-tag-filter | Bad HTML filtering regexp |
CWE‑74 | JavaScript | js/incomplete-html-attribute-sanitization | Incomplete HTML attribute sanitization |
CWE‑74 | JavaScript | js/incomplete-multi-character-sanitization | Incomplete multi-character sanitization |
CWE‑74 | JavaScript | js/incomplete-sanitization | Incomplete string escaping or encoding |
CWE‑74 | JavaScript | js/unsafe-html-expansion | Unsafe expansion of self-closing HTML tag |
CWE‑74 | JavaScript | js/tainted-format-string | Use of externally-controlled format string |
CWE‑74 | JavaScript | js/client-side-unvalidated-url-redirection | Client-side URL redirect |
CWE‑74 | JavaScript | js/xpath-injection | XPath injection |
CWE‑74 | JavaScript | js/prototype-polluting-assignment | Prototype-polluting assignment |
CWE‑74 | JavaScript | js/prototype-pollution-utility | Prototype-polluting function |
CWE‑74 | JavaScript | js/prototype-pollution | Prototype-polluting merge call |
CWE‑74 | JavaScript | js/actions/pull-request-target | Checkout of untrusted code in trusted context |
CWE‑74 | JavaScript | js/command-line-injection-more-sources | Uncontrolled command line with additional heuristic sources |
CWE‑74 | JavaScript | js/xss-more-sources | Client-side cross-site scripting with additional heuristic sources |
CWE‑74 | JavaScript | js/sql-injection-more-sources | Database query built from user-controlled sources with additional heuristic sources |
CWE‑74 | JavaScript | js/code-injection-more-sources | Code injection with additional heuristic sources |
CWE‑74 | JavaScript | js/tainted-format-string-more-sources | Use of externally-controlled format string with additional heuristic sources |
CWE‑74 | JavaScript | js/xpath-injection-more-sources | XPath injection with additional heuristic sources |
CWE‑74 | JavaScript | js/prototype-polluting-assignment-more-sources | Prototype-polluting assignment with additional heuristic sources |
CWE‑74 | Python | py/path-injection | Uncontrolled data used in path expression |
CWE‑74 | Python | py/command-line-injection | Uncontrolled command line |
CWE‑74 | Python | py/shell-command-constructed-from-input | Unsafe shell command constructed from library input |
CWE‑74 | Python | py/jinja2/autoescape-false | Jinja2 templating with autoescape=False |
CWE‑74 | Python | py/reflective-xss | Reflected server-side cross-site scripting |
CWE‑74 | Python | py/sql-injection | SQL query built from user-controlled sources |
CWE‑74 | Python | py/ldap-injection | LDAP query built from user-controlled sources |
CWE‑74 | Python | py/code-injection | Code injection |
CWE‑74 | Python | py/xpath-injection | XPath query built from user-controlled sources |
CWE‑74 | Python | py/template-injection | Server Side Template Injection |
CWE‑74 | Python | py/paramiko-command-injection | RCE with user provided command with paramiko ssh client |
CWE‑74 | Python | py/reflective-xss-email | Reflected server-side cross-site scripting |
CWE‑74 | Python | py/xslt-injection | XSLT query built from user-controlled sources |
CWE‑74 | Python | py/header-injection | HTTP Header Injection |
CWE‑74 | Python | py/nosql-injection | NoSQL Injection |
CWE‑74 | Ruby | rb/ldap-injection | LDAP Injection |
CWE‑74 | Ruby | rb/server-side-template-injection | Server-side template injection |
CWE‑74 | Ruby | rb/xpath-injection | XPath query built from user-controlled sources |
CWE‑74 | Ruby | rb/path-injection | Uncontrolled data used in path expression |
CWE‑74 | Ruby | rb/command-line-injection | Uncontrolled command line |
CWE‑74 | Ruby | rb/kernel-open | Use of Kernel.open , IO.read or similar sinks with user-controlled input |
CWE‑74 | Ruby | rb/non-constant-kernel-open | Use of Kernel.open or IO.read or similar sinks with a non-constant value |
CWE‑74 | Ruby | rb/shell-command-constructed-from-input | Unsafe shell command constructed from library input |
CWE‑74 | Ruby | rb/reflected-xss | Reflected server-side cross-site scripting |
CWE‑74 | Ruby | rb/stored-xss | Stored cross-site scripting |
CWE‑74 | Ruby | rb/html-constructed-from-input | Unsafe HTML constructed from library input |
CWE‑74 | Ruby | rb/sql-injection | SQL query built from user-controlled sources |
CWE‑74 | Ruby | rb/code-injection | Code injection |
CWE‑74 | Ruby | rb/unsafe-code-construction | Unsafe code constructed from library input |
CWE‑74 | Ruby | rb/incomplete-multi-character-sanitization | Incomplete multi-character sanitization |
CWE‑74 | Ruby | rb/incomplete-sanitization | Incomplete string escaping or encoding |
CWE‑74 | Ruby | rb/tainted-format-string | Use of externally-controlled format string |
CWE‑74 | Swift | swift/command-line-injection | System command built from user-controlled sources |
CWE‑74 | Swift | swift/path-injection | Uncontrolled data used in path expression |
CWE‑74 | Swift | swift/unsafe-webview-fetch | Unsafe WebView fetch |
CWE‑74 | Swift | swift/sql-injection | Database query built from user-controlled sources |
CWE‑74 | Swift | swift/unsafe-js-eval | JavaScript Injection |
CWE‑74 | Swift | swift/uncontrolled-format-string | Uncontrolled format string |
CWE‑74 | Swift | swift/predicate-injection | Predicate built from user-controlled sources |
CWE‑77 | C++ | cpp/command-line-injection | Uncontrolled data used in OS command |
CWE‑77 | C++ | cpp/wordexp-injection | Uncontrolled data used in wordexp command |
CWE‑77 | C# | cs/command-line-injection | Uncontrolled command line |
CWE‑77 | C# | cs/stored-command-line-injection | Uncontrolled command line from stored user input |
CWE‑77 | Go | go/command-injection | Command built from user-controlled sources |
CWE‑77 | Go | go/stored-command | Command built from stored data |
CWE‑77 | Go | go/unsafe-quoting | Potentially unsafe quoting |
CWE‑77 | Java | java/relative-path-command | Executing a command with a relative path |
CWE‑77 | Java | java/command-line-injection | Uncontrolled command line |
CWE‑77 | Java | java/command-line-injection-local | Local-user-controlled command line |
CWE‑77 | Java | java/concatenated-command-line | Building a command line with string concatenation |
CWE‑77 | Java | java/ognl-injection | OGNL Expression Language statement with user-controlled input |
CWE‑77 | Java | java/command-line-injection-extra | Command Injection into Runtime.exec() with dangerous command |
CWE‑77 | Java | java/command-line-injection-extra-local | Command Injection into Runtime.exec() with dangerous command |
CWE‑77 | Java | java/command-line-injection-experimental | Uncontrolled command line (experimental sinks) |
CWE‑77 | JavaScript | js/command-line-injection | Uncontrolled command line |
CWE‑77 | JavaScript | js/indirect-command-line-injection | Indirect uncontrolled command line |
CWE‑77 | JavaScript | js/second-order-command-line-injection | Second order command injection |
CWE‑77 | JavaScript | js/shell-command-injection-from-environment | Shell command built from environment values |
CWE‑77 | JavaScript | js/shell-command-constructed-from-input | Unsafe shell command constructed from library input |
CWE‑77 | JavaScript | js/unnecessary-use-of-cat | Unnecessary use of cat process |
CWE‑77 | JavaScript | js/prototype-polluting-assignment | Prototype-polluting assignment |
CWE‑77 | JavaScript | js/prototype-pollution-utility | Prototype-polluting function |
CWE‑77 | JavaScript | js/prototype-pollution | Prototype-polluting merge call |
CWE‑77 | JavaScript | js/command-line-injection-more-sources | Uncontrolled command line with additional heuristic sources |
CWE‑77 | JavaScript | js/prototype-polluting-assignment-more-sources | Prototype-polluting assignment with additional heuristic sources |
CWE‑77 | Python | py/command-line-injection | Uncontrolled command line |
CWE‑77 | Python | py/shell-command-constructed-from-input | Unsafe shell command constructed from library input |
CWE‑77 | Ruby | rb/command-line-injection | Uncontrolled command line |
CWE‑77 | Ruby | rb/kernel-open | Use of Kernel.open , IO.read or similar sinks with user-controlled input |
CWE‑77 | Ruby | rb/non-constant-kernel-open | Use of Kernel.open or IO.read or similar sinks with a non-constant value |
CWE‑77 | Ruby | rb/shell-command-constructed-from-input | Unsafe shell command constructed from library input |
CWE‑77 | Swift | swift/command-line-injection | System command built from user-controlled sources |
CWE‑78 | C++ | cpp/command-line-injection | Uncontrolled data used in OS command |
CWE‑78 | C++ | cpp/wordexp-injection | Uncontrolled data used in wordexp command |
CWE‑78 | C# | cs/command-line-injection | Uncontrolled command line |
CWE‑78 | C# | cs/stored-command-line-injection | Uncontrolled command line from stored user input |
CWE‑78 | Go | go/command-injection | Command built from user-controlled sources |
CWE‑78 | Go | go/stored-command | Command built from stored data |
CWE‑78 | Go | go/unsafe-quoting | Potentially unsafe quoting |
CWE‑78 | Java | java/relative-path-command | Executing a command with a relative path |
CWE‑78 | Java | java/command-line-injection | Uncontrolled command line |
CWE‑78 | Java | java/command-line-injection-local | Local-user-controlled command line |
CWE‑78 | Java | java/concatenated-command-line | Building a command line with string concatenation |
CWE‑78 | Java | java/command-line-injection-extra | Command Injection into Runtime.exec() with dangerous command |
CWE‑78 | Java | java/command-line-injection-extra-local | Command Injection into Runtime.exec() with dangerous command |
CWE‑78 | Java | java/command-line-injection-experimental | Uncontrolled command line (experimental sinks) |
CWE‑78 | JavaScript | js/command-line-injection | Uncontrolled command line |
CWE‑78 | JavaScript | js/indirect-command-line-injection | Indirect uncontrolled command line |
CWE‑78 | JavaScript | js/second-order-command-line-injection | Second order command injection |
CWE‑78 | JavaScript | js/shell-command-injection-from-environment | Shell command built from environment values |
CWE‑78 | JavaScript | js/shell-command-constructed-from-input | Unsafe shell command constructed from library input |
CWE‑78 | JavaScript | js/unnecessary-use-of-cat | Unnecessary use of cat process |
CWE‑78 | JavaScript | js/prototype-polluting-assignment | Prototype-polluting assignment |
CWE‑78 | JavaScript | js/prototype-pollution-utility | Prototype-polluting function |
CWE‑78 | JavaScript | js/prototype-pollution | Prototype-polluting merge call |
CWE‑78 | JavaScript | js/command-line-injection-more-sources | Uncontrolled command line with additional heuristic sources |
CWE‑78 | JavaScript | js/prototype-polluting-assignment-more-sources | Prototype-polluting assignment with additional heuristic sources |
CWE‑78 | Python | py/command-line-injection | Uncontrolled command line |
CWE‑78 | Python | py/shell-command-constructed-from-input | Unsafe shell command constructed from library input |
CWE‑78 | Ruby | rb/command-line-injection | Uncontrolled command line |
CWE‑78 | Ruby | rb/kernel-open | Use of Kernel.open , IO.read or similar sinks with user-controlled input |
CWE‑78 | Ruby | rb/non-constant-kernel-open | Use of Kernel.open or IO.read or similar sinks with a non-constant value |
CWE‑78 | Ruby | rb/shell-command-constructed-from-input | Unsafe shell command constructed from library input |
CWE‑78 | Swift | swift/command-line-injection | System command built from user-controlled sources |
CWE‑79 | C++ | cpp/cgi-xss | CGI script vulnerable to cross-site scripting |
CWE‑79 | C# | cs/web/stored-xss | Stored cross-site scripting |
CWE‑79 | C# | cs/web/xss | Cross-site scripting |
CWE‑79 | Go | go/reflected-xss | Reflected cross-site scripting |
CWE‑79 | Go | go/stored-xss | Stored cross-site scripting |
CWE‑79 | Go | go/html-template-escaping-passthrough | HTML template escaping passthrough |
CWE‑79 | Java | java/android/webview-addjavascriptinterface | Access Java object methods through JavaScript exposure |
CWE‑79 | Java | java/android/websettings-javascript-enabled | Android WebView JavaScript settings |
CWE‑79 | Java | java/xss | Cross-site scripting |
CWE‑79 | Java | java/xss-local | Cross-site scripting from local source |
CWE‑79 | Java | java/android/unsafe-android-webview-fetch | Unsafe resource fetching in Android WebView |
CWE‑79 | JavaScript | js/disabling-electron-websecurity | Disabling Electron webSecurity |
CWE‑79 | JavaScript | js/xss-through-exception | Exception text reinterpreted as HTML |
CWE‑79 | JavaScript | js/reflected-xss | Reflected cross-site scripting |
CWE‑79 | JavaScript | js/stored-xss | Stored cross-site scripting |
CWE‑79 | JavaScript | js/html-constructed-from-input | Unsafe HTML constructed from library input |
CWE‑79 | JavaScript | js/unsafe-jquery-plugin | Unsafe jQuery plugin |
CWE‑79 | JavaScript | js/xss | Client-side cross-site scripting |
CWE‑79 | JavaScript | js/xss-through-dom | DOM text reinterpreted as HTML |
CWE‑79 | JavaScript | js/code-injection | Code injection |
CWE‑79 | JavaScript | js/bad-code-sanitization | Improper code sanitization |
CWE‑79 | JavaScript | js/unsafe-code-construction | Unsafe code constructed from library input |
CWE‑79 | JavaScript | js/bad-tag-filter | Bad HTML filtering regexp |
CWE‑79 | JavaScript | js/incomplete-html-attribute-sanitization | Incomplete HTML attribute sanitization |
CWE‑79 | JavaScript | js/incomplete-multi-character-sanitization | Incomplete multi-character sanitization |
CWE‑79 | JavaScript | js/incomplete-sanitization | Incomplete string escaping or encoding |
CWE‑79 | JavaScript | js/unsafe-html-expansion | Unsafe expansion of self-closing HTML tag |
CWE‑79 | JavaScript | js/client-side-unvalidated-url-redirection | Client-side URL redirect |
CWE‑79 | JavaScript | js/prototype-polluting-assignment | Prototype-polluting assignment |
CWE‑79 | JavaScript | js/prototype-pollution-utility | Prototype-polluting function |
CWE‑79 | JavaScript | js/prototype-pollution | Prototype-polluting merge call |
CWE‑79 | JavaScript | js/xss-more-sources | Client-side cross-site scripting with additional heuristic sources |
CWE‑79 | JavaScript | js/code-injection-more-sources | Code injection with additional heuristic sources |
CWE‑79 | JavaScript | js/prototype-polluting-assignment-more-sources | Prototype-polluting assignment with additional heuristic sources |
CWE‑79 | Python | py/jinja2/autoescape-false | Jinja2 templating with autoescape=False |
CWE‑79 | Python | py/reflective-xss | Reflected server-side cross-site scripting |
CWE‑79 | Python | py/reflective-xss-email | Reflected server-side cross-site scripting |
CWE‑79 | Python | py/header-injection | HTTP Header Injection |
CWE‑79 | Ruby | rb/reflected-xss | Reflected server-side cross-site scripting |
CWE‑79 | Ruby | rb/stored-xss | Stored cross-site scripting |
CWE‑79 | Ruby | rb/html-constructed-from-input | Unsafe HTML constructed from library input |
CWE‑79 | Ruby | rb/unsafe-code-construction | Unsafe code constructed from library input |
CWE‑79 | Ruby | rb/incomplete-multi-character-sanitization | Incomplete multi-character sanitization |
CWE‑79 | Ruby | rb/incomplete-sanitization | Incomplete string escaping or encoding |
CWE‑79 | Swift | swift/unsafe-webview-fetch | Unsafe WebView fetch |
CWE‑80 | JavaScript | js/bad-tag-filter | Bad HTML filtering regexp |
CWE‑80 | JavaScript | js/incomplete-multi-character-sanitization | Incomplete multi-character sanitization |
CWE‑80 | JavaScript | js/incomplete-sanitization | Incomplete string escaping or encoding |
CWE‑80 | Ruby | rb/incomplete-multi-character-sanitization | Incomplete multi-character sanitization |
CWE‑80 | Ruby | rb/incomplete-sanitization | Incomplete string escaping or encoding |
CWE‑88 | C++ | cpp/command-line-injection | Uncontrolled data used in OS command |
CWE‑88 | C# | cs/command-line-injection | Uncontrolled command line |
CWE‑88 | C# | cs/stored-command-line-injection | Uncontrolled command line from stored user input |
CWE‑88 | Java | java/relative-path-command | Executing a command with a relative path |
CWE‑88 | Java | java/command-line-injection | Uncontrolled command line |
CWE‑88 | Java | java/command-line-injection-local | Local-user-controlled command line |
CWE‑88 | Java | java/concatenated-command-line | Building a command line with string concatenation |
CWE‑88 | Java | java/command-line-injection-experimental | Uncontrolled command line (experimental sinks) |
CWE‑88 | JavaScript | js/command-line-injection | Uncontrolled command line |
CWE‑88 | JavaScript | js/indirect-command-line-injection | Indirect uncontrolled command line |
CWE‑88 | JavaScript | js/second-order-command-line-injection | Second order command injection |
CWE‑88 | JavaScript | js/shell-command-injection-from-environment | Shell command built from environment values |
CWE‑88 | JavaScript | js/shell-command-constructed-from-input | Unsafe shell command constructed from library input |
CWE‑88 | JavaScript | js/command-line-injection-more-sources | Uncontrolled command line with additional heuristic sources |
CWE‑88 | Python | py/command-line-injection | Uncontrolled command line |
CWE‑88 | Python | py/shell-command-constructed-from-input | Unsafe shell command constructed from library input |
CWE‑88 | Ruby | rb/command-line-injection | Uncontrolled command line |
CWE‑88 | Ruby | rb/kernel-open | Use of Kernel.open , IO.read or similar sinks with user-controlled input |
CWE‑88 | Ruby | rb/non-constant-kernel-open | Use of Kernel.open or IO.read or similar sinks with a non-constant value |
CWE‑88 | Ruby | rb/shell-command-constructed-from-input | Unsafe shell command constructed from library input |
CWE‑88 | Swift | swift/command-line-injection | System command built from user-controlled sources |
CWE‑89 | C++ | cpp/sql-injection | Uncontrolled data in SQL query |
CWE‑89 | C# | cs/second-order-sql-injection | SQL query built from stored user-controlled sources |
CWE‑89 | C# | cs/sql-injection | SQL query built from user-controlled sources |
CWE‑89 | Go | go/sql-injection | Database query built from user-controlled sources |
CWE‑89 | Go | go/unsafe-quoting | Potentially unsafe quoting |
CWE‑89 | Java | java/concatenated-sql-query | Query built by concatenation with a possibly-untrusted string |
CWE‑89 | Java | java/sql-injection | Query built from user-controlled sources |
CWE‑89 | Java | java/sql-injection-local | Query built from local-user-controlled sources |
CWE‑89 | Java | java/mybatis-annotation-sql-injection | SQL injection in MyBatis annotation |
CWE‑89 | Java | java/mybatis-xml-sql-injection | SQL injection in MyBatis Mapper XML |
CWE‑89 | JavaScript | js/sql-injection | Database query built from user-controlled sources |
CWE‑89 | JavaScript | js/sql-injection-more-sources | Database query built from user-controlled sources with additional heuristic sources |
CWE‑89 | Python | py/sql-injection | SQL query built from user-controlled sources |
CWE‑89 | Ruby | rb/sql-injection | SQL query built from user-controlled sources |
CWE‑89 | Swift | swift/sql-injection | Database query built from user-controlled sources |
CWE‑90 | C# | cs/ldap-injection | LDAP query built from user-controlled sources |
CWE‑90 | C# | cs/stored-ldap-injection | LDAP query built from stored user-controlled sources |
CWE‑90 | Go | go/ldap-injection | LDAP query built from user-controlled sources |
CWE‑90 | Java | java/ldap-injection | LDAP query built from user-controlled sources |
CWE‑90 | JavaScript | js/sql-injection | Database query built from user-controlled sources |
CWE‑90 | JavaScript | js/sql-injection-more-sources | Database query built from user-controlled sources with additional heuristic sources |
CWE‑90 | Python | py/ldap-injection | LDAP query built from user-controlled sources |
CWE‑90 | Ruby | rb/ldap-injection | LDAP Injection |
CWE‑91 | C# | cs/xml-injection | XML injection |
CWE‑91 | C# | cs/xml/stored-xpath-injection | Stored XPath injection |
CWE‑91 | C# | cs/xml/xpath-injection | XPath injection |
CWE‑91 | Go | go/xml/xpath-injection | XPath injection |
CWE‑91 | Java | java/xml/xpath-injection | XPath injection |
CWE‑91 | Java | java/xquery-injection | XQuery query built from user-controlled sources |
CWE‑91 | JavaScript | js/xpath-injection | XPath injection |
CWE‑91 | JavaScript | js/xpath-injection-more-sources | XPath injection with additional heuristic sources |
CWE‑91 | Python | py/xpath-injection | XPath query built from user-controlled sources |
CWE‑91 | Python | py/xslt-injection | XSLT query built from user-controlled sources |
CWE‑91 | Ruby | rb/xpath-injection | XPath query built from user-controlled sources |
CWE‑93 | C# | cs/web/disabled-header-checking | Header checking disabled |
CWE‑93 | Java | java/netty-http-request-or-response-splitting | Disabled Netty HTTP header validation |
CWE‑93 | Java | java/http-response-splitting | HTTP response splitting |
CWE‑93 | Java | java/http-response-splitting-local | HTTP response splitting from local source |
CWE‑93 | Python | py/header-injection | HTTP Header Injection |
CWE‑94 | C# | cs/code-injection | Improper control of generation of code |
CWE‑94 | Go | go/unsafe-quoting | Potentially unsafe quoting |
CWE‑94 | Java | java/android/arbitrary-apk-installation | Android APK installation |
CWE‑94 | Java | java/groovy-injection | Groovy Language injection |
CWE‑94 | Java | java/insecure-bean-validation | Insecure Bean Validation |
CWE‑94 | Java | java/jexl-expression-injection | Expression language injection (JEXL) |
CWE‑94 | Java | java/mvel-expression-injection | Expression language injection (MVEL) |
CWE‑94 | Java | java/spel-expression-injection | Expression language injection (Spring) |
CWE‑94 | Java | java/server-side-template-injection | Server-side template injection |
CWE‑94 | Java | java/beanshell-injection | BeanShell injection |
CWE‑94 | Java | java/android-insecure-dex-loading | Insecure loading of an Android Dex File |
CWE‑94 | Java | java/jshell-injection | JShell injection |
CWE‑94 | Java | java/javaee-expression-injection | Jakarta Expression Language injection |
CWE‑94 | Java | java/jython-injection | Injection in Jython |
CWE‑94 | Java | java/unsafe-eval | Injection in Java Script Engine |
CWE‑94 | Java | java/spring-view-manipulation-implicit | Spring Implicit View Manipulation |
CWE‑94 | Java | java/spring-view-manipulation | Spring View Manipulation |
CWE‑94 | JavaScript | js/enabling-electron-renderer-node-integration | Enabling Node.js integration for Electron web content renderers |
CWE‑94 | JavaScript | js/template-object-injection | Template Object Injection |
CWE‑94 | JavaScript | js/code-injection | Code injection |
CWE‑94 | JavaScript | js/actions/command-injection | Expression injection in Actions |
CWE‑94 | JavaScript | js/bad-code-sanitization | Improper code sanitization |
CWE‑94 | JavaScript | js/unsafe-code-construction | Unsafe code constructed from library input |
CWE‑94 | JavaScript | js/unsafe-dynamic-method-access | Unsafe dynamic method access |
CWE‑94 | JavaScript | js/prototype-polluting-assignment | Prototype-polluting assignment |
CWE‑94 | JavaScript | js/prototype-pollution-utility | Prototype-polluting function |
CWE‑94 | JavaScript | js/prototype-pollution | Prototype-polluting merge call |
CWE‑94 | JavaScript | js/actions/pull-request-target | Checkout of untrusted code in trusted context |
CWE‑94 | JavaScript | js/code-injection-more-sources | Code injection with additional heuristic sources |
CWE‑94 | JavaScript | js/prototype-polluting-assignment-more-sources | Prototype-polluting assignment with additional heuristic sources |
CWE‑94 | Python | py/code-injection | Code injection |
CWE‑94 | Ruby | rb/server-side-template-injection | Server-side template injection |
CWE‑94 | Ruby | rb/code-injection | Code injection |
CWE‑94 | Ruby | rb/unsafe-code-construction | Unsafe code constructed from library input |
CWE‑94 | Swift | swift/unsafe-webview-fetch | Unsafe WebView fetch |
CWE‑94 | Swift | swift/unsafe-js-eval | JavaScript Injection |
CWE‑95 | C# | cs/code-injection | Improper control of generation of code |
CWE‑95 | Java | java/jython-injection | Injection in Jython |
CWE‑95 | JavaScript | js/code-injection | Code injection |
CWE‑95 | JavaScript | js/code-injection-more-sources | Code injection with additional heuristic sources |
CWE‑95 | Python | py/code-injection | Code injection |
CWE‑95 | Ruby | rb/code-injection | Code injection |
CWE‑95 | Swift | swift/unsafe-webview-fetch | Unsafe WebView fetch |
CWE‑95 | Swift | swift/unsafe-js-eval | JavaScript Injection |
CWE‑96 | C# | cs/code-injection | Improper control of generation of code |
CWE‑99 | C# | cs/path-injection | Uncontrolled data used in path expression |
CWE‑99 | C# | cs/resource-injection | Resource injection |
CWE‑99 | C# | cs/webclient-path-injection | Uncontrolled data used in a WebClient |
CWE‑99 | Go | go/path-injection | Uncontrolled data used in path expression |
CWE‑99 | JavaScript | js/path-injection | Uncontrolled data used in path expression |
CWE‑99 | Python | py/path-injection | Uncontrolled data used in path expression |
CWE‑99 | Ruby | rb/path-injection | Uncontrolled data used in path expression |
CWE‑99 | Swift | swift/path-injection | Uncontrolled data used in path expression |
CWE‑112 | C# | cs/xml/missing-validation | Missing XML validation |
CWE‑113 | C# | cs/web/disabled-header-checking | Header checking disabled |
CWE‑113 | Java | java/netty-http-request-or-response-splitting | Disabled Netty HTTP header validation |
CWE‑113 | Java | java/http-response-splitting | HTTP response splitting |
CWE‑113 | Java | java/http-response-splitting-local | HTTP response splitting from local source |
CWE‑113 | Python | py/header-injection | HTTP Header Injection |
CWE‑114 | C++ | cpp/uncontrolled-process-operation | Uncontrolled process operation |
CWE‑114 | C# | cs/assembly-path-injection | Assembly path injection |
CWE‑116 | C# | cs/web/stored-xss | Stored cross-site scripting |
CWE‑116 | C# | cs/web/xss | Cross-site scripting |
CWE‑116 | C# | cs/log-forging | Log entries created from user input |
CWE‑116 | C# | cs/inappropriate-encoding | Inappropriate encoding |
CWE‑116 | Go | go/reflected-xss | Reflected cross-site scripting |
CWE‑116 | Go | go/stored-xss | Stored cross-site scripting |
CWE‑116 | Go | go/log-injection | Log entries created from user input |
CWE‑116 | Java | java/log-injection | Log Injection |
CWE‑116 | JavaScript | js/angular/disabling-sce | Disabling SCE |
CWE‑116 | JavaScript | js/identity-replacement | Replacement of a substring with itself |
CWE‑116 | JavaScript | js/xss-through-exception | Exception text reinterpreted as HTML |
CWE‑116 | JavaScript | js/reflected-xss | Reflected cross-site scripting |
CWE‑116 | JavaScript | js/stored-xss | Stored cross-site scripting |
CWE‑116 | JavaScript | js/html-constructed-from-input | Unsafe HTML constructed from library input |
CWE‑116 | JavaScript | js/unsafe-jquery-plugin | Unsafe jQuery plugin |
CWE‑116 | JavaScript | js/xss | Client-side cross-site scripting |
CWE‑116 | JavaScript | js/xss-through-dom | DOM text reinterpreted as HTML |
CWE‑116 | JavaScript | js/code-injection | Code injection |
CWE‑116 | JavaScript | js/bad-code-sanitization | Improper code sanitization |
CWE‑116 | JavaScript | js/unsafe-code-construction | Unsafe code constructed from library input |
CWE‑116 | JavaScript | js/bad-tag-filter | Bad HTML filtering regexp |
CWE‑116 | JavaScript | js/double-escaping | Double escaping or unescaping |
CWE‑116 | JavaScript | js/incomplete-html-attribute-sanitization | Incomplete HTML attribute sanitization |
CWE‑116 | JavaScript | js/incomplete-multi-character-sanitization | Incomplete multi-character sanitization |
CWE‑116 | JavaScript | js/incomplete-sanitization | Incomplete string escaping or encoding |
CWE‑116 | JavaScript | js/unsafe-html-expansion | Unsafe expansion of self-closing HTML tag |
CWE‑116 | JavaScript | js/log-injection | Log injection |
CWE‑116 | JavaScript | js/client-side-unvalidated-url-redirection | Client-side URL redirect |
CWE‑116 | JavaScript | js/xss-more-sources | Client-side cross-site scripting with additional heuristic sources |
CWE‑116 | JavaScript | js/code-injection-more-sources | Code injection with additional heuristic sources |
CWE‑116 | JavaScript | js/log-injection-more-sources | Log injection with additional heuristic sources |
CWE‑116 | Python | py/reflective-xss | Reflected server-side cross-site scripting |
CWE‑116 | Python | py/code-injection | Code injection |
CWE‑116 | Python | py/bad-tag-filter | Bad HTML filtering regexp |
CWE‑116 | Python | py/log-injection | Log Injection |
CWE‑116 | Python | py/reflective-xss-email | Reflected server-side cross-site scripting |
CWE‑116 | Ruby | rb/reflected-xss | Reflected server-side cross-site scripting |
CWE‑116 | Ruby | rb/stored-xss | Stored cross-site scripting |
CWE‑116 | Ruby | rb/html-constructed-from-input | Unsafe HTML constructed from library input |
CWE‑116 | Ruby | rb/code-injection | Code injection |
CWE‑116 | Ruby | rb/unsafe-code-construction | Unsafe code constructed from library input |
CWE‑116 | Ruby | rb/bad-tag-filter | Bad HTML filtering regexp |
CWE‑116 | Ruby | rb/incomplete-multi-character-sanitization | Incomplete multi-character sanitization |
CWE‑116 | Ruby | rb/incomplete-sanitization | Incomplete string escaping or encoding |
CWE‑116 | Ruby | rb/log-injection | Log injection |
CWE‑116 | Swift | swift/bad-tag-filter | Bad HTML filtering regexp |
CWE‑117 | C# | cs/log-forging | Log entries created from user input |
CWE‑117 | Go | go/log-injection | Log entries created from user input |
CWE‑117 | Java | java/log-injection | Log Injection |
CWE‑117 | JavaScript | js/log-injection | Log injection |
CWE‑117 | JavaScript | js/log-injection-more-sources | Log injection with additional heuristic sources |
CWE‑117 | Python | py/log-injection | Log Injection |
CWE‑117 | Ruby | rb/log-injection | Log injection |
CWE‑118 | C++ | cpp/offset-use-before-range-check | Array offset used before range check |
CWE‑118 | C++ | cpp/double-free | Potential double free |
CWE‑118 | C++ | cpp/late-negative-test | Pointer offset used before it is checked |
CWE‑118 | C++ | cpp/missing-negativity-test | Unchecked return value used as offset |
CWE‑118 | C++ | cpp/overflow-calculated | Buffer not sufficient for string |
CWE‑118 | C++ | cpp/overflow-destination | Copy function using source size |
CWE‑118 | C++ | cpp/static-buffer-overflow | Static array access may cause overflow |
CWE‑118 | C++ | cpp/allocation-too-small | Not enough memory allocated for pointer type |
CWE‑118 | C++ | cpp/suspicious-allocation-size | Not enough memory allocated for array of pointer type |
CWE‑118 | C++ | cpp/use-after-free | Potential use after free |
CWE‑118 | C++ | cpp/upcast-array-pointer-arithmetic | Upcast array used in pointer arithmetic |
CWE‑118 | C++ | cpp/return-stack-allocated-memory | Returning stack-allocated memory |
CWE‑118 | C++ | cpp/bad-strncpy-size | Possibly wrong buffer size in string copy |
CWE‑118 | C++ | cpp/unsafe-strncat | Potentially unsafe call to strncat |
CWE‑118 | C++ | cpp/unsafe-strcat | Potentially unsafe use of strcat |
CWE‑118 | C++ | cpp/using-expired-stack-address | Use of expired stack-address |
CWE‑118 | C++ | cpp/overflow-buffer | Call to memory access function may overflow buffer |
CWE‑118 | C++ | cpp/overrun-write | Overrunning write |
CWE‑118 | C++ | cpp/badly-bounded-write | Badly bounded write |
CWE‑118 | C++ | cpp/overrunning-write | Potentially overrunning write |
CWE‑118 | C++ | cpp/overrunning-write-with-float | Potentially overrunning write with float to string conversion |
CWE‑118 | C++ | cpp/unbounded-write | Unbounded write |
CWE‑118 | C++ | cpp/very-likely-overrunning-write | Likely overrunning write |
CWE‑118 | C++ | cpp/unterminated-variadic-call | Unterminated variadic call |
CWE‑118 | C++ | cpp/no-space-for-terminator | No space for zero terminator |
CWE‑118 | C++ | cpp/invalid-pointer-deref | Invalid pointer dereference |
CWE‑118 | C++ | cpp/openssl-heartbleed | Use of a version of OpenSSL with Heartbleed |
CWE‑118 | C++ | cpp/memory-unsafe-function-scan | Scanf function without a specified length |
CWE‑118 | C++ | cpp/dangerous-use-convert-function | Dangerous use convert function. |
CWE‑118 | C++ | cpp/experimental-double-free | Errors When Double Free |
CWE‑118 | C++ | cpp/dangerous-use-of-exception-blocks | Dangerous use of exception blocks. |
CWE‑118 | C++ | cpp/sign-conversion-pointer-arithmetic | unsigned to signed used in pointer arithmetic |
CWE‑118 | C++ | cpp/access-memory-location-after-end-buffer-strlen | Access Of Memory Location After End Of Buffer |
CWE‑118 | C++ | cpp/buffer-access-with-incorrect-length-value | Buffer access with incorrect length value |
CWE‑118 | C# | cs/unvalidated-local-pointer-arithmetic | Unvalidated local pointer arithmetic |
CWE‑118 | Go | go/wrong-usage-of-unsafe | Wrong usage of package unsafe |
CWE‑119 | C++ | cpp/offset-use-before-range-check | Array offset used before range check |
CWE‑119 | C++ | cpp/double-free | Potential double free |
CWE‑119 | C++ | cpp/late-negative-test | Pointer offset used before it is checked |
CWE‑119 | C++ | cpp/missing-negativity-test | Unchecked return value used as offset |
CWE‑119 | C++ | cpp/overflow-calculated | Buffer not sufficient for string |
CWE‑119 | C++ | cpp/overflow-destination | Copy function using source size |
CWE‑119 | C++ | cpp/static-buffer-overflow | Static array access may cause overflow |
CWE‑119 | C++ | cpp/allocation-too-small | Not enough memory allocated for pointer type |
CWE‑119 | C++ | cpp/suspicious-allocation-size | Not enough memory allocated for array of pointer type |
CWE‑119 | C++ | cpp/use-after-free | Potential use after free |
CWE‑119 | C++ | cpp/upcast-array-pointer-arithmetic | Upcast array used in pointer arithmetic |
CWE‑119 | C++ | cpp/return-stack-allocated-memory | Returning stack-allocated memory |
CWE‑119 | C++ | cpp/bad-strncpy-size | Possibly wrong buffer size in string copy |
CWE‑119 | C++ | cpp/unsafe-strncat | Potentially unsafe call to strncat |
CWE‑119 | C++ | cpp/unsafe-strcat | Potentially unsafe use of strcat |
CWE‑119 | C++ | cpp/using-expired-stack-address | Use of expired stack-address |
CWE‑119 | C++ | cpp/overflow-buffer | Call to memory access function may overflow buffer |
CWE‑119 | C++ | cpp/overrun-write | Overrunning write |
CWE‑119 | C++ | cpp/badly-bounded-write | Badly bounded write |
CWE‑119 | C++ | cpp/overrunning-write | Potentially overrunning write |
CWE‑119 | C++ | cpp/overrunning-write-with-float | Potentially overrunning write with float to string conversion |
CWE‑119 | C++ | cpp/unbounded-write | Unbounded write |
CWE‑119 | C++ | cpp/very-likely-overrunning-write | Likely overrunning write |
CWE‑119 | C++ | cpp/unterminated-variadic-call | Unterminated variadic call |
CWE‑119 | C++ | cpp/no-space-for-terminator | No space for zero terminator |
CWE‑119 | C++ | cpp/invalid-pointer-deref | Invalid pointer dereference |
CWE‑119 | C++ | cpp/openssl-heartbleed | Use of a version of OpenSSL with Heartbleed |
CWE‑119 | C++ | cpp/memory-unsafe-function-scan | Scanf function without a specified length |
CWE‑119 | C++ | cpp/dangerous-use-convert-function | Dangerous use convert function. |
CWE‑119 | C++ | cpp/experimental-double-free | Errors When Double Free |
CWE‑119 | C++ | cpp/dangerous-use-of-exception-blocks | Dangerous use of exception blocks. |
CWE‑119 | C++ | cpp/sign-conversion-pointer-arithmetic | unsigned to signed used in pointer arithmetic |
CWE‑119 | C++ | cpp/access-memory-location-after-end-buffer-strlen | Access Of Memory Location After End Of Buffer |
CWE‑119 | C++ | cpp/buffer-access-with-incorrect-length-value | Buffer access with incorrect length value |
CWE‑119 | C# | cs/unvalidated-local-pointer-arithmetic | Unvalidated local pointer arithmetic |
CWE‑119 | Go | go/wrong-usage-of-unsafe | Wrong usage of package unsafe |
CWE‑120 | C++ | cpp/offset-use-before-range-check | Array offset used before range check |
CWE‑120 | C++ | cpp/overflow-calculated | Buffer not sufficient for string |
CWE‑120 | C++ | cpp/unsafe-strcat | Potentially unsafe use of strcat |
CWE‑120 | C++ | cpp/badly-bounded-write | Badly bounded write |
CWE‑120 | C++ | cpp/overrunning-write | Potentially overrunning write |
CWE‑120 | C++ | cpp/overrunning-write-with-float | Potentially overrunning write with float to string conversion |
CWE‑120 | C++ | cpp/unbounded-write | Unbounded write |
CWE‑120 | C++ | cpp/very-likely-overrunning-write | Likely overrunning write |
CWE‑120 | C++ | cpp/no-space-for-terminator | No space for zero terminator |
CWE‑120 | C++ | cpp/memory-unsafe-function-scan | Scanf function without a specified length |
CWE‑120 | C# | cs/unvalidated-local-pointer-arithmetic | Unvalidated local pointer arithmetic |
CWE‑121 | C++ | cpp/overflow-buffer | Call to memory access function may overflow buffer |
CWE‑121 | C++ | cpp/unterminated-variadic-call | Unterminated variadic call |
CWE‑122 | C++ | cpp/allocation-too-small | Not enough memory allocated for pointer type |
CWE‑122 | C++ | cpp/suspicious-allocation-size | Not enough memory allocated for array of pointer type |
CWE‑122 | C++ | cpp/overflow-buffer | Call to memory access function may overflow buffer |
CWE‑122 | C++ | cpp/no-space-for-terminator | No space for zero terminator |
CWE‑122 | C# | cs/unvalidated-local-pointer-arithmetic | Unvalidated local pointer arithmetic |
CWE‑125 | C++ | cpp/offset-use-before-range-check | Array offset used before range check |
CWE‑125 | C++ | cpp/overflow-buffer | Call to memory access function may overflow buffer |
CWE‑125 | C++ | cpp/invalid-pointer-deref | Invalid pointer dereference |
CWE‑125 | C++ | cpp/dangerous-use-convert-function | Dangerous use convert function. |
CWE‑125 | Go | go/wrong-usage-of-unsafe | Wrong usage of package unsafe |
CWE‑126 | C++ | cpp/overflow-buffer | Call to memory access function may overflow buffer |
CWE‑126 | Go | go/wrong-usage-of-unsafe | Wrong usage of package unsafe |
CWE‑128 | C++ | cpp/signed-overflow-check | Signed overflow check |
CWE‑128 | C++ | cpp/multiplication-overflow-in-alloc | Multiplication result may overflow and be used in allocation |
CWE‑129 | C++ | cpp/unclear-array-index-validation | Unclear validation of array index |
CWE‑129 | Java | java/improper-validation-of-array-construction | Improper validation of user-provided size used for array construction |
CWE‑129 | Java | java/improper-validation-of-array-construction-code-specified | Improper validation of code-specified size used for array construction |
CWE‑129 | Java | java/improper-validation-of-array-construction-local | Improper validation of local user-provided size used for array construction |
CWE‑129 | Java | java/improper-validation-of-array-index | Improper validation of user-provided array index |
CWE‑129 | Java | java/improper-validation-of-array-index-code-specified | Improper validation of code-specified array index |
CWE‑129 | Java | java/improper-validation-of-array-index-local | Improper validation of local user-provided array index |
CWE‑131 | C++ | cpp/overflow-calculated | Buffer not sufficient for string |
CWE‑131 | C++ | cpp/overflow-destination | Copy function using source size |
CWE‑131 | C++ | cpp/static-buffer-overflow | Static array access may cause overflow |
CWE‑131 | C++ | cpp/allocation-too-small | Not enough memory allocated for pointer type |
CWE‑131 | C++ | cpp/suspicious-allocation-size | Not enough memory allocated for array of pointer type |
CWE‑131 | C++ | cpp/overrun-write | Overrunning write |
CWE‑131 | C++ | cpp/no-space-for-terminator | No space for zero terminator |
CWE‑134 | C++ | cpp/non-constant-format | Non-constant format string |
CWE‑134 | C++ | cpp/tainted-format-string | Uncontrolled format string |
CWE‑134 | C++ | cpp/tainted-format-string-through-global | Uncontrolled format string (through global variable) |
CWE‑134 | C# | cs/uncontrolled-format-string | Uncontrolled format string |
CWE‑134 | Java | java/tainted-format-string | Use of externally-controlled format string |
CWE‑134 | Java | java/tainted-format-string-local | Use of externally-controlled format string from local source |
CWE‑134 | JavaScript | js/tainted-format-string | Use of externally-controlled format string |
CWE‑134 | JavaScript | js/tainted-format-string-more-sources | Use of externally-controlled format string with additional heuristic sources |
CWE‑134 | Ruby | rb/tainted-format-string | Use of externally-controlled format string |
CWE‑134 | Swift | swift/uncontrolled-format-string | Uncontrolled format string |
CWE‑135 | Swift | swift/string-length-conflation | String length conflation |
CWE‑170 | C++ | cpp/improper-null-termination | Potential improper null termination |
CWE‑170 | C++ | cpp/user-controlled-null-termination-tainted | User-controlled data may not be null terminated |
CWE‑172 | Python | py/unicode-bypass-validation | Bypass Logical Validation Using Unicode Characters |
CWE‑172 | Ruby | rb/unicode-bypass-validation | Bypass Logical Validation Using Unicode Characters |
CWE‑176 | Python | py/unicode-bypass-validation | Bypass Logical Validation Using Unicode Characters |
CWE‑176 | Ruby | rb/unicode-bypass-validation | Bypass Logical Validation Using Unicode Characters |
CWE‑178 | JavaScript | js/case-sensitive-middleware-path | Case-sensitive middleware path |
CWE‑179 | Python | py/unicode-bypass-validation | Bypass Logical Validation Using Unicode Characters |
CWE‑179 | Ruby | rb/unicode-bypass-validation | Bypass Logical Validation Using Unicode Characters |
CWE‑180 | Python | py/unicode-bypass-validation | Bypass Logical Validation Using Unicode Characters |
CWE‑180 | Ruby | rb/unicode-bypass-validation | Bypass Logical Validation Using Unicode Characters |
CWE‑183 | Go | go/cors-misconfiguration | CORS misconfiguration |
CWE‑183 | JavaScript | js/angular/insecure-url-whitelist | Insecure URL whitelist |
CWE‑183 | JavaScript | js/cors-misconfiguration-for-credentials | CORS misconfiguration for credentials transfer |
CWE‑183 | JavaScript | js/cors-misconfiguration-for-credentials-more-sources | CORS misconfiguration for credentials transfer with additional heuristic sources |
CWE‑184 | JavaScript | js/incomplete-url-scheme-check | Incomplete URL scheme check |
CWE‑184 | JavaScript | js/bad-tag-filter | Bad HTML filtering regexp |
CWE‑185 | JavaScript | js/angular/insecure-url-whitelist | Insecure URL whitelist |
CWE‑185 | JavaScript | js/bad-tag-filter | Bad HTML filtering regexp |
CWE‑185 | Python | py/bad-tag-filter | Bad HTML filtering regexp |
CWE‑185 | Ruby | rb/bad-tag-filter | Bad HTML filtering regexp |
CWE‑185 | Swift | swift/bad-tag-filter | Bad HTML filtering regexp |
CWE‑186 | JavaScript | js/bad-tag-filter | Bad HTML filtering regexp |
CWE‑186 | Python | py/bad-tag-filter | Bad HTML filtering regexp |
CWE‑186 | Ruby | rb/bad-tag-filter | Bad HTML filtering regexp |
CWE‑186 | Swift | swift/bad-tag-filter | Bad HTML filtering regexp |
CWE‑190 | C++ | cpp/ambiguously-signed-bit-field | Ambiguously signed bit-field member |
CWE‑190 | C++ | cpp/bad-addition-overflow-check | Bad check for overflow of integer addition |
CWE‑190 | C++ | cpp/integer-multiplication-cast-to-long | Multiplication result converted to larger type |
CWE‑190 | C++ | cpp/signed-overflow-check | Signed overflow check |
CWE‑190 | C++ | cpp/overflowing-snprintf | Potentially overflowing call to snprintf |
CWE‑190 | C++ | cpp/tainted-arithmetic | User-controlled data in arithmetic expression |
CWE‑190 | C++ | cpp/uncontrolled-arithmetic | Uncontrolled data in arithmetic expression |
CWE‑190 | C++ | cpp/arithmetic-with-extreme-values | Use of extreme values in arithmetic expression |
CWE‑190 | C++ | cpp/comparison-with-wider-type | Comparison of narrow type with wide type in loop condition |
CWE‑190 | C++ | cpp/integer-overflow-tainted | Potential integer arithmetic overflow |
CWE‑190 | C++ | cpp/uncontrolled-allocation-size | Overflow in uncontrolled allocation size |
CWE‑190 | C++ | cpp/multiplication-overflow-in-alloc | Multiplication result may overflow and be used in allocation |
CWE‑190 | C++ | cpp/dangerous-use-of-transformation-after-operation | Dangerous use of transformation after operation. |
CWE‑190 | C++ | cpp/signed-bit-field | Possible signed bit-field member |
CWE‑190 | C# | cs/loss-of-precision | Possible loss of precision |
CWE‑190 | Go | go/allocation-size-overflow | Size computation for allocation may overflow |
CWE‑190 | Go | go/incorrect-integer-conversion | Incorrect conversion between integer types |
CWE‑190 | Java | java/implicit-cast-in-compound-assignment | Implicit narrowing conversion in compound assignment |
CWE‑190 | Java | java/integer-multiplication-cast-to-long | Result of multiplication cast to wider type |
CWE‑190 | Java | java/tainted-arithmetic | User-controlled data in arithmetic expression |
CWE‑190 | Java | java/tainted-arithmetic-local | Local-user-controlled data in arithmetic expression |
CWE‑190 | Java | java/uncontrolled-arithmetic | Uncontrolled data in arithmetic expression |
CWE‑190 | Java | java/extreme-value-arithmetic | Use of extreme values in arithmetic expression |
CWE‑190 | Java | java/comparison-with-wider-type | Comparison of narrow type with wide type in loop condition |
CWE‑191 | C++ | cpp/tainted-arithmetic | User-controlled data in arithmetic expression |
CWE‑191 | C++ | cpp/uncontrolled-arithmetic | Uncontrolled data in arithmetic expression |
CWE‑191 | C++ | cpp/arithmetic-with-extreme-values | Use of extreme values in arithmetic expression |
CWE‑191 | C++ | cpp/unsigned-difference-expression-compared-zero | Unsigned difference expression compared to zero |
CWE‑191 | Java | java/tainted-arithmetic | User-controlled data in arithmetic expression |
CWE‑191 | Java | java/tainted-arithmetic-local | Local-user-controlled data in arithmetic expression |
CWE‑191 | Java | java/uncontrolled-arithmetic | Uncontrolled data in arithmetic expression |
CWE‑191 | Java | java/extreme-value-arithmetic | Use of extreme values in arithmetic expression |
CWE‑193 | C++ | cpp/invalid-pointer-deref | Invalid pointer dereference |
CWE‑193 | C# | cs/index-out-of-bounds | Off-by-one comparison against container length |
CWE‑193 | Go | go/index-out-of-bounds | Off-by-one comparison against length |
CWE‑193 | Java | java/index-out-of-bounds | Array index out of bounds |
CWE‑193 | JavaScript | js/index-out-of-bounds | Off-by-one comparison against length |
CWE‑197 | C++ | cpp/integer-multiplication-cast-to-long | Multiplication result converted to larger type |
CWE‑197 | C++ | cpp/comparison-with-wider-type | Comparison of narrow type with wide type in loop condition |
CWE‑197 | C++ | cpp/integer-overflow-tainted | Potential integer arithmetic overflow |
CWE‑197 | C# | cs/loss-of-precision | Possible loss of precision |
CWE‑197 | Go | go/shift-out-of-range | Shift out of range |
CWE‑197 | Java | java/implicit-cast-in-compound-assignment | Implicit narrowing conversion in compound assignment |
CWE‑197 | Java | java/integer-multiplication-cast-to-long | Result of multiplication cast to wider type |
CWE‑197 | Java | java/comparison-with-wider-type | Comparison of narrow type with wide type in loop condition |
CWE‑197 | Java | java/tainted-numeric-cast | User-controlled data in numeric cast |
CWE‑197 | Java | java/tainted-numeric-cast-local | Local-user-controlled data in numeric cast |
CWE‑197 | JavaScript | js/shift-out-of-range | Shift out of range |
CWE‑200 | C++ | cpp/cleartext-transmission | Cleartext transmission of sensitive information |
CWE‑200 | C++ | cpp/system-data-exposure | Exposure of system data to an unauthorized control sphere |
CWE‑200 | C++ | cpp/potential-system-data-exposure | Potential exposure of sensitive system data to an unauthorized control sphere |
CWE‑200 | C++ | cpp/work-with-file-without-permissions-rights | Writing to a file without setting permissions. |
CWE‑200 | C++ | cpp/wrong-use-of-the-umask | Find the wrong use of the umask function. |
CWE‑200 | C++ | cpp/private-cleartext-write | Exposure of private information |
CWE‑200 | C# | cs/web/debug-binary | Creating an ASP.NET debug binary may reveal sensitive information |
CWE‑200 | C# | cs/sensitive-data-transmission | Information exposure through transmitted data |
CWE‑200 | C# | cs/information-exposure-through-exception | Information exposure through an exception |
CWE‑200 | C# | cs/cleartext-storage-of-sensitive-information | Clear text storage of sensitive information |
CWE‑200 | C# | cs/exposure-of-sensitive-information | Exposure of private information |
CWE‑200 | C# | cs/web/directory-browse-enabled | ASP.NET config file enables directory browsing |
CWE‑200 | C# | cs/web/persistent-cookie | Cookie security: persistent cookie |
CWE‑200 | Go | go/stack-trace-exposure | Information exposure through a stack trace |
CWE‑200 | Go | go/clear-text-logging | Clear-text logging of sensitive information |
CWE‑200 | Go | go/timing-attack | Timing attacks due to comparison of sensitive secrets |
CWE‑200 | Java | java/android/websettings-allow-content-access | Android WebView settings allows access to content links |
CWE‑200 | Java | java/android/websettings-file-access | Android WebSettings file access |
CWE‑200 | Java | java/local-temp-file-or-directory-information-disclosure | Local information disclosure in a temporary directory |
CWE‑200 | Java | java/stack-trace-exposure | Information exposure through a stack trace |
CWE‑200 | Java | java/android/sensitive-keyboard-cache | Android sensitive keyboard cache |
CWE‑200 | Java | java/sensitive-log | Insertion of sensitive information into log files |
CWE‑200 | Java | java/insecure-webview-resource-response | Insecure Android WebView Resource Response |
CWE‑200 | Java | java/sensitive-android-file-leak | Leaking sensitive Android file |
CWE‑200 | Java | java/possible-timing-attack-against-signature | Possible timing attack against signature validation |
CWE‑200 | Java | java/timing-attack-against-headers-value | Timing attack against header value |
CWE‑200 | Java | java/timing-attack-against-signature | Timing attack against signature validation |
CWE‑200 | Java | java/server-directory-listing | Directories and files exposure |
CWE‑200 | Java | java/sensitive-query-with-get | Sensitive GET Query |
CWE‑200 | JavaScript | js/unsafe-external-link | Potentially unsafe external link |
CWE‑200 | JavaScript | js/file-access-to-http | File data in outbound network request |
CWE‑200 | JavaScript | js/exposure-of-private-files | Exposure of private files |
CWE‑200 | JavaScript | js/cross-window-information-leak | Cross-window communication with unrestricted target origin |
CWE‑200 | JavaScript | js/stack-trace-exposure | Information exposure through a stack trace |
CWE‑200 | JavaScript | js/build-artifact-leak | Storage of sensitive information in build artifact |
CWE‑200 | JavaScript | js/clear-text-logging | Clear-text logging of sensitive information |
CWE‑200 | JavaScript | js/clear-text-storage-of-sensitive-data | Clear text storage of sensitive information |
CWE‑200 | JavaScript | js/sensitive-get-query | Sensitive data read from GET request |
CWE‑200 | Python | py/bind-socket-all-network-interfaces | Binding a socket to all network interfaces |
CWE‑200 | Python | py/stack-trace-exposure | Information exposure through an exception |
CWE‑200 | Python | py/flask-debug | Flask app is run in debug mode |
CWE‑200 | Python | py/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑200 | Python | py/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑200 | Python | py/possible-timing-attack-against-hash | Timing attack against Hash |
CWE‑200 | Python | py/timing-attack-against-hash | Timing attack against Hash |
CWE‑200 | Python | py/timing-attack-against-header-value | Timing attack against header value |
CWE‑200 | Python | py/possible-timing-attack-sensitive-info | Timing attack against secret |
CWE‑200 | Python | py/timing-attack-sensitive-info | Timing attack against secret |
CWE‑200 | Ruby | rb/stack-trace-exposure | Information exposure through an exception |
CWE‑200 | Ruby | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑200 | Ruby | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑200 | Ruby | rb/sensitive-get-query | Sensitive data read from GET request |
CWE‑200 | Swift | swift/cleartext-logging | Cleartext logging of sensitive information |
CWE‑201 | C# | cs/sensitive-data-transmission | Information exposure through transmitted data |
CWE‑201 | JavaScript | js/cross-window-information-leak | Cross-window communication with unrestricted target origin |
CWE‑203 | Go | go/timing-attack | Timing attacks due to comparison of sensitive secrets |
CWE‑203 | Java | java/possible-timing-attack-against-signature | Possible timing attack against signature validation |
CWE‑203 | Java | java/timing-attack-against-headers-value | Timing attack against header value |
CWE‑203 | Java | java/timing-attack-against-signature | Timing attack against signature validation |
CWE‑203 | Python | py/possible-timing-attack-against-hash | Timing attack against Hash |
CWE‑203 | Python | py/timing-attack-against-hash | Timing attack against Hash |
CWE‑203 | Python | py/timing-attack-against-header-value | Timing attack against header value |
CWE‑203 | Python | py/possible-timing-attack-sensitive-info | Timing attack against secret |
CWE‑203 | Python | py/timing-attack-sensitive-info | Timing attack against secret |
CWE‑208 | Java | java/possible-timing-attack-against-signature | Possible timing attack against signature validation |
CWE‑208 | Java | java/timing-attack-against-headers-value | Timing attack against header value |
CWE‑208 | Java | java/timing-attack-against-signature | Timing attack against signature validation |
CWE‑208 | Python | py/possible-timing-attack-against-hash | Timing attack against Hash |
CWE‑208 | Python | py/timing-attack-against-hash | Timing attack against Hash |
CWE‑208 | Python | py/timing-attack-against-header-value | Timing attack against header value |
CWE‑208 | Python | py/possible-timing-attack-sensitive-info | Timing attack against secret |
CWE‑208 | Python | py/timing-attack-sensitive-info | Timing attack against secret |
CWE‑209 | C# | cs/information-exposure-through-exception | Information exposure through an exception |
CWE‑209 | Go | go/stack-trace-exposure | Information exposure through a stack trace |
CWE‑209 | Java | java/stack-trace-exposure | Information exposure through a stack trace |
CWE‑209 | JavaScript | js/stack-trace-exposure | Information exposure through a stack trace |
CWE‑209 | Python | py/stack-trace-exposure | Information exposure through an exception |
CWE‑209 | Ruby | rb/stack-trace-exposure | Information exposure through an exception |
CWE‑215 | C# | cs/web/debug-binary | Creating an ASP.NET debug binary may reveal sensitive information |
CWE‑215 | Python | py/flask-debug | Flask app is run in debug mode |
CWE‑216 | JavaScript | js/exposure-of-private-files | Exposure of private files |
CWE‑219 | JavaScript | js/exposure-of-private-files | Exposure of private files |
CWE‑221 | C# | cs/catch-of-all-exceptions | Generic catch clause |
CWE‑221 | C# | cs/web/missing-x-frame-options | Missing X-Frame-Options HTTP header |
CWE‑221 | Java | java/overly-general-catch | Overly-general catch clause |
CWE‑221 | JavaScript | js/missing-x-frame-options | Missing X-Frame-Options HTTP header |
CWE‑221 | Python | py/catch-base-exception | Except block handles 'BaseException' |
CWE‑227 | C++ | cpp/double-free | Potential double free |
CWE‑227 | C++ | cpp/missing-check-scanf | Missing return-value check for a 'scanf'-like function |
CWE‑227 | C++ | cpp/overflowing-snprintf | Potentially overflowing call to snprintf |
CWE‑227 | C++ | cpp/wrong-number-format-arguments | Too few arguments to formatting function |
CWE‑227 | C++ | cpp/wrong-type-format-argument | Wrong type of arguments to formatting function |
CWE‑227 | C++ | cpp/too-few-arguments | Call to function with fewer arguments than declared parameters |
CWE‑227 | C++ | cpp/ignore-return-value-sal | SAL requires inspecting return value |
CWE‑227 | C++ | cpp/hresult-boolean-conversion | Cast between HRESULT and a Boolean type |
CWE‑227 | C++ | cpp/lock-order-cycle | Cyclic lock order dependency |
CWE‑227 | C++ | cpp/twice-locked | Mutex locked twice |
CWE‑227 | C++ | cpp/unreleased-lock | Lock may not be released |
CWE‑227 | C++ | cpp/work-with-changing-working-directories | Find work with changing working directories, with security errors. |
CWE‑227 | C++ | cpp/wrong-use-of-the-umask | Find the wrong use of the umask function. |
CWE‑227 | C++ | cpp/experimental-double-free | Errors When Double Free |
CWE‑227 | C++ | cpp/dangerous-use-of-exception-blocks | Dangerous use of exception blocks. |
CWE‑227 | C++ | cpp/double-release | Errors When Double Release |
CWE‑227 | C# | cs/inconsistent-equals-and-gethashcode | Inconsistent Equals(object) and GetHashCode() |
CWE‑227 | C# | cs/invalid-dynamic-call | Bad dynamic call |
CWE‑227 | C# | cs/web/missing-x-frame-options | Missing X-Frame-Options HTTP header |
CWE‑227 | Java | java/ejb/container-interference | EJB interferes with container operation |
CWE‑227 | Java | java/ejb/file-io | EJB uses file input/output |
CWE‑227 | Java | java/ejb/graphics | EJB uses graphics |
CWE‑227 | Java | java/ejb/native-code | EJB uses native code |
CWE‑227 | Java | java/ejb/reflection | EJB uses reflection |
CWE‑227 | Java | java/ejb/security-configuration-access | EJB accesses security configuration |
CWE‑227 | Java | java/ejb/substitution-in-serialization | EJB uses substitution in serialization |
CWE‑227 | Java | java/ejb/socket-or-stream-handler-factory | EJB sets socket factory or URL stream handler factory |
CWE‑227 | Java | java/ejb/server-socket | EJB uses server socket |
CWE‑227 | Java | java/ejb/non-final-static-field | EJB uses non-final static field |
CWE‑227 | Java | java/ejb/synchronization | EJB uses synchronization |
CWE‑227 | Java | java/ejb/this | EJB uses 'this' as argument or result |
CWE‑227 | Java | java/ejb/threads | EJB uses threads |
CWE‑227 | Java | java/missing-call-to-super-clone | Missing super clone |
CWE‑227 | Java | java/inconsistent-equals-and-hashcode | Inconsistent equals and hashCode |
CWE‑227 | Java | java/unreleased-lock | Unreleased lock |
CWE‑227 | Java | java/missing-super-finalize | Finalizer inconsistency |
CWE‑227 | Java | java/missing-format-argument | Missing format argument |
CWE‑227 | Java | java/unused-format-argument | Unused format argument |
CWE‑227 | Java | java/static-initialization-vector | Using a static initialization vector for encryption |
CWE‑227 | Java | java/empty-finalizer | Empty body of finalizer |
CWE‑227 | JavaScript | js/superfluous-trailing-arguments | Superfluous trailing arguments |
CWE‑227 | JavaScript | js/missing-x-frame-options | Missing X-Frame-Options HTTP header |
CWE‑227 | Python | py/equals-hash-mismatch | Inconsistent equality and hashing |
CWE‑227 | Python | py/call/wrong-named-class-argument | Wrong name for an argument in a class instantiation |
CWE‑227 | Python | py/call/wrong-number-class-arguments | Wrong number of arguments in a class instantiation |
CWE‑227 | Python | py/super-not-enclosing-class | First argument to super() is not enclosing class |
CWE‑227 | Python | py/call/wrong-named-argument | Wrong name for an argument in a call |
CWE‑227 | Python | py/percent-format/wrong-arguments | Wrong number of arguments for format |
CWE‑227 | Python | py/call/wrong-arguments | Wrong number of arguments in a call |
CWE‑227 | Swift | swift/static-initialization-vector | Static initialization vector for encryption |
CWE‑228 | C++ | cpp/wrong-number-format-arguments | Too few arguments to formatting function |
CWE‑228 | C++ | cpp/too-few-arguments | Call to function with fewer arguments than declared parameters |
CWE‑233 | C++ | cpp/wrong-number-format-arguments | Too few arguments to formatting function |
CWE‑233 | C++ | cpp/too-few-arguments | Call to function with fewer arguments than declared parameters |
CWE‑234 | C++ | cpp/wrong-number-format-arguments | Too few arguments to formatting function |
CWE‑234 | C++ | cpp/too-few-arguments | Call to function with fewer arguments than declared parameters |
CWE‑242 | C++ | cpp/dangerous-function-overflow | Use of dangerous function |
CWE‑243 | C++ | cpp/work-with-changing-working-directories | Find work with changing working directories, with security errors. |
CWE‑247 | C# | cs/user-controlled-bypass | User-controlled bypass of sensitive method |
CWE‑247 | Go | go/sensitive-condition-bypass | User-controlled bypassing of sensitive action |
CWE‑248 | C++ | cpp/operator-find-incorrectly-used-exceptions | Operator Find Incorrectly Used Exceptions |
CWE‑248 | C# | cs/web/missing-global-error-handler | Missing global error handler |
CWE‑248 | Java | java/uncaught-number-format-exception | Missing catch of NumberFormatException |
CWE‑248 | Java | java/uncaught-servlet-exception | Uncaught Servlet Exception |
CWE‑248 | JavaScript | js/server-crash | Server crash |
CWE‑250 | JavaScript | js/remote-property-injection | Remote property injection |
CWE‑250 | JavaScript | js/remote-property-injection-more-sources | Remote property injection with additional heuristic sources |
CWE‑252 | C++ | cpp/missing-check-scanf | Missing return-value check for a 'scanf'-like function |
CWE‑252 | C++ | cpp/return-value-ignored | Return value of a function is ignored |
CWE‑252 | C++ | cpp/inconsistent-call-on-result | Inconsistent operation on return value |
CWE‑252 | C++ | cpp/ignore-return-value-sal | SAL requires inspecting return value |
CWE‑252 | C++ | cpp/incorrect-allocation-error-handling | Incorrect allocation-error handling |
CWE‑252 | C++ | cpp/work-with-changing-working-directories | Find work with changing working directories, with security errors. |
CWE‑252 | C# | cs/unchecked-return-value | Unchecked return value |
CWE‑252 | Java | java/inconsistent-call-on-result | Inconsistent operation on return value |
CWE‑252 | Java | java/return-value-ignored | Method result ignored |
CWE‑252 | Python | py/ignored-return-value | Ignored return value |
CWE‑253 | C++ | cpp/missing-check-scanf | Missing return-value check for a 'scanf'-like function |
CWE‑253 | C++ | cpp/overflowing-snprintf | Potentially overflowing call to snprintf |
CWE‑253 | C++ | cpp/hresult-boolean-conversion | Cast between HRESULT and a Boolean type |
CWE‑256 | C# | cs/password-in-configuration | Password in configuration file |
CWE‑256 | Java | java/credentials-in-properties | Cleartext Credentials in Properties File |
CWE‑256 | Java | java/password-in-configuration | Password in configuration file |
CWE‑256 | JavaScript | js/password-in-configuration-file | Password in configuration file |
CWE‑258 | C# | cs/empty-password-in-configuration | Empty password in configuration file |
CWE‑258 | JavaScript | js/empty-password-in-configuration-file | Empty password in configuration file |
CWE‑259 | C# | cs/hardcoded-connection-string-credentials | Hard-coded connection string with credentials |
CWE‑259 | C# | cs/hardcoded-credentials | Hard-coded credentials |
CWE‑259 | Go | go/hardcoded-credentials | Hard-coded credentials |
CWE‑259 | JavaScript | js/hardcoded-credentials | Hard-coded credentials |
CWE‑259 | Python | py/hardcoded-credentials | Hard-coded credentials |
CWE‑259 | Ruby | rb/hardcoded-credentials | Hard-coded credentials |
CWE‑259 | Swift | swift/constant-password | Constant password |
CWE‑260 | C++ | cpp/cleartext-storage-file | Cleartext storage of sensitive information in file |
CWE‑260 | C# | cs/empty-password-in-configuration | Empty password in configuration file |
CWE‑260 | C# | cs/password-in-configuration | Password in configuration file |
CWE‑260 | Java | java/credentials-in-properties | Cleartext Credentials in Properties File |
CWE‑260 | Java | java/password-in-configuration | Password in configuration file |
CWE‑260 | JavaScript | js/password-in-configuration-file | Password in configuration file |
CWE‑260 | JavaScript | js/empty-password-in-configuration-file | Empty password in configuration file |
CWE‑266 | C++ | cpp/wrong-use-of-the-umask | Find the wrong use of the umask function. |
CWE‑266 | Java | java/android/intent-uri-permission-manipulation | Intent URI permission manipulation |
CWE‑269 | C++ | cpp/wrong-use-of-the-umask | Find the wrong use of the umask function. |
CWE‑269 | C++ | cpp/drop-linux-privileges-outoforder | LinuxPrivilegeDroppingOutoforder |
CWE‑269 | Java | java/android/intent-uri-permission-manipulation | Intent URI permission manipulation |
CWE‑269 | Java | java/unsafe-cert-trust | Unsafe certificate trust |
CWE‑269 | JavaScript | js/remote-property-injection | Remote property injection |
CWE‑269 | JavaScript | js/remote-property-injection-more-sources | Remote property injection with additional heuristic sources |
CWE‑271 | C++ | cpp/drop-linux-privileges-outoforder | LinuxPrivilegeDroppingOutoforder |
CWE‑271 | Java | java/unsafe-cert-trust | Unsafe certificate trust |
CWE‑273 | C++ | cpp/drop-linux-privileges-outoforder | LinuxPrivilegeDroppingOutoforder |
CWE‑273 | Java | java/unsafe-cert-trust | Unsafe certificate trust |
CWE‑284 | C++ | cpp/user-controlled-bypass | Authentication bypass by spoofing |
CWE‑284 | C++ | cpp/cleartext-storage-file | Cleartext storage of sensitive information in file |
CWE‑284 | C++ | cpp/world-writable-file-creation | File created without restricting permissions |
CWE‑284 | C++ | cpp/open-call-with-mode-argument | File opened with O_CREAT flag but without mode argument |
CWE‑284 | C++ | cpp/unsafe-dacl-security-descriptor | Setting a DACL to NULL in a SECURITY_DESCRIPTOR |
CWE‑284 | C++ | cpp/wrong-use-of-the-umask | Find the wrong use of the umask function. |
CWE‑284 | C++ | cpp/drop-linux-privileges-outoforder | LinuxPrivilegeDroppingOutoforder |
CWE‑284 | C++ | cpp/pam-auth-bypass | PAM Authorization bypass |
CWE‑284 | C# | cs/empty-password-in-configuration | Empty password in configuration file |
CWE‑284 | C# | cs/password-in-configuration | Password in configuration file |
CWE‑284 | C# | cs/web/missing-function-level-access-control | Missing function level access control |
CWE‑284 | C# | cs/hard-coded-symmetric-encryption-key | Hard-coded symmetric encryption key |
CWE‑284 | C# | cs/session-reuse | Failure to abandon session |
CWE‑284 | C# | cs/hardcoded-connection-string-credentials | Hard-coded connection string with credentials |
CWE‑284 | C# | cs/hardcoded-credentials | Hard-coded credentials |
CWE‑284 | C# | cs/user-controlled-bypass | User-controlled bypass of sensitive method |
CWE‑284 | C# | cs/web/broad-cookie-domain | Cookie security: overly broad domain |
CWE‑284 | C# | cs/web/broad-cookie-path | Cookie security: overly broad path |
CWE‑284 | Go | go/insecure-hostkeycallback | Use of insecure HostKeyCallback implementation |
CWE‑284 | Go | go/email-injection | Email content injection |
CWE‑284 | Go | go/hardcoded-credentials | Hard-coded credentials |
CWE‑284 | Go | go/pam-auth-bypass | PAM authorization bypass due to incorrect usage |
CWE‑284 | Go | go/hardcoded-key | Use of a hardcoded key for signing JWT |
CWE‑284 | Go | go/sensitive-condition-bypass | User-controlled bypassing of sensitive action |
CWE‑284 | Go | go/cors-misconfiguration | CORS misconfiguration |
CWE‑284 | Java | java/local-temp-file-or-directory-information-disclosure | Local information disclosure in a temporary directory |
CWE‑284 | Java | java/android/intent-uri-permission-manipulation | Intent URI permission manipulation |
CWE‑284 | Java | java/unsafe-cert-trust | Unsafe certificate trust |
CWE‑284 | Java | java/insecure-smtp-ssl | Insecure JavaMail SSL Configuration |
CWE‑284 | Java | java/unsafe-hostname-verification | Unsafe hostname verification |
CWE‑284 | Java | java/socket-auth-race-condition | Race condition in socket authentication |
CWE‑284 | Java | java/insecure-basic-auth | Insecure basic authentication |
CWE‑284 | Java | java/insecure-ldap-auth | Insecure LDAP authentication |
CWE‑284 | Java | java/world-writable-file-read | Reading from a world writable file |
CWE‑284 | Java | java/hardcoded-credential-api-call | Hard-coded credential in API call |
CWE‑284 | Java | java/hardcoded-credential-comparison | Hard-coded credential comparison |
CWE‑284 | Java | java/hardcoded-credential-sensitive-call | Hard-coded credential in sensitive call |
CWE‑284 | Java | java/hardcoded-password-field | Hard-coded password field |
CWE‑284 | Java | java/user-controlled-bypass | User-controlled bypass of sensitive method |
CWE‑284 | Java | java/tainted-permissions-check | User-controlled data used in permissions check |
CWE‑284 | Java | java/maven/non-https-url | Failure to use HTTPS or SFTP URL in Maven artifact upload/download |
CWE‑284 | Java | java/improper-intent-verification | Improper verification of intent by broadcast receiver |
CWE‑284 | Java | java/android/incomplete-provider-permissions | Missing read or write permission in a content provider |
CWE‑284 | Java | java/android/implicitly-exported-component | Implicitly exported Android component |
CWE‑284 | Java | java/android/implicit-pendingintents | Use of implicit PendingIntents |
CWE‑284 | Java | java/android/sensitive-communication | Leaking sensitive information through an implicit Intent |
CWE‑284 | Java | java/android/sensitive-result-receiver | Leaking sensitive information through a ResultReceiver |
CWE‑284 | Java | java/android/intent-redirection | Android Intent redirection |
CWE‑284 | Java | java/ignored-hostname-verification | Ignored result of hostname verification |
CWE‑284 | Java | java/insecure-ldaps-endpoint | Insecure LDAPS Endpoint Configuration |
CWE‑284 | Java | java/unvalidated-cors-origin-set | CORS is derived from untrusted input |
CWE‑284 | Java | java/credentials-in-properties | Cleartext Credentials in Properties File |
CWE‑284 | Java | java/password-in-configuration | Password in configuration file |
CWE‑284 | Java | java/incorrect-url-verification | Incorrect URL verification |
CWE‑284 | JavaScript | js/missing-origin-check | Missing origin verification in postMessage handler |
CWE‑284 | JavaScript | js/exposure-of-private-files | Exposure of private files |
CWE‑284 | JavaScript | js/disabling-certificate-validation | Disabling certificate validation |
CWE‑284 | JavaScript | js/insecure-dependency | Dependency download using unencrypted communication channel |
CWE‑284 | JavaScript | js/password-in-configuration-file | Password in configuration file |
CWE‑284 | JavaScript | js/cors-misconfiguration-for-credentials | CORS misconfiguration for credentials transfer |
CWE‑284 | JavaScript | js/session-fixation | Failure to abandon session |
CWE‑284 | JavaScript | js/remote-property-injection | Remote property injection |
CWE‑284 | JavaScript | js/host-header-forgery-in-email-generation | Host header poisoning in email generation |
CWE‑284 | JavaScript | js/missing-rate-limiting | Missing rate limiting |
CWE‑284 | JavaScript | js/hardcoded-credentials | Hard-coded credentials |
CWE‑284 | JavaScript | js/user-controlled-bypass | User-controlled bypass of security check |
CWE‑284 | JavaScript | js/different-kinds-comparison-bypass | Comparison of user-controlled data of different kinds |
CWE‑284 | JavaScript | js/empty-password-in-configuration-file | Empty password in configuration file |
CWE‑284 | JavaScript | js/cors-misconfiguration-for-credentials-more-sources | CORS misconfiguration for credentials transfer with additional heuristic sources |
CWE‑284 | JavaScript | js/remote-property-injection-more-sources | Remote property injection with additional heuristic sources |
CWE‑284 | JavaScript | js/user-controlled-bypass-more-sources | User-controlled bypass of security check with additional heuristic sources |
CWE‑284 | Python | py/pam-auth-bypass | PAM authorization bypass due to incorrect usage |
CWE‑284 | Python | py/overly-permissive-file | Overly permissive file permissions |
CWE‑284 | Python | py/hardcoded-credentials | Hard-coded credentials |
CWE‑284 | Python | py/flask-constant-secret-key | Initializing SECRET_KEY of Flask application with Constant value |
CWE‑284 | Python | py/improper-ldap-auth | Improper LDAP Authentication |
CWE‑284 | Python | py/insecure-ldap-auth | Python Insecure LDAP Authentication |
CWE‑284 | Ruby | rb/user-controlled-bypass | User-controlled bypass of security check |
CWE‑284 | Ruby | rb/improper-ldap-auth | Improper LDAP Authentication |
CWE‑284 | Ruby | rb/insecure-dependency | Dependency download using unencrypted communication channel |
CWE‑284 | Ruby | rb/weak-cookie-configuration | Weak cookie configuration |
CWE‑284 | Ruby | rb/overly-permissive-file | Overly permissive file permissions |
CWE‑284 | Ruby | rb/hardcoded-credentials | Hard-coded credentials |
CWE‑284 | Swift | swift/constant-password | Constant password |
CWE‑284 | Swift | swift/hardcoded-key | Hard-coded encryption key |
CWE‑285 | C++ | cpp/world-writable-file-creation | File created without restricting permissions |
CWE‑285 | C++ | cpp/open-call-with-mode-argument | File opened with O_CREAT flag but without mode argument |
CWE‑285 | C++ | cpp/unsafe-dacl-security-descriptor | Setting a DACL to NULL in a SECURITY_DESCRIPTOR |
CWE‑285 | C++ | cpp/pam-auth-bypass | PAM Authorization bypass |
CWE‑285 | C# | cs/empty-password-in-configuration | Empty password in configuration file |
CWE‑285 | C# | cs/web/missing-function-level-access-control | Missing function level access control |
CWE‑285 | Go | go/pam-auth-bypass | PAM authorization bypass due to incorrect usage |
CWE‑285 | Java | java/local-temp-file-or-directory-information-disclosure | Local information disclosure in a temporary directory |
CWE‑285 | Java | java/android/intent-uri-permission-manipulation | Intent URI permission manipulation |
CWE‑285 | Java | java/world-writable-file-read | Reading from a world writable file |
CWE‑285 | Java | java/android/incomplete-provider-permissions | Missing read or write permission in a content provider |
CWE‑285 | Java | java/android/implicitly-exported-component | Implicitly exported Android component |
CWE‑285 | Java | java/android/implicit-pendingintents | Use of implicit PendingIntents |
CWE‑285 | Java | java/android/sensitive-communication | Leaking sensitive information through an implicit Intent |
CWE‑285 | Java | java/android/sensitive-result-receiver | Leaking sensitive information through a ResultReceiver |
CWE‑285 | Java | java/android/intent-redirection | Android Intent redirection |
CWE‑285 | Java | java/incorrect-url-verification | Incorrect URL verification |
CWE‑285 | JavaScript | js/exposure-of-private-files | Exposure of private files |
CWE‑285 | JavaScript | js/cors-misconfiguration-for-credentials | CORS misconfiguration for credentials transfer |
CWE‑285 | JavaScript | js/empty-password-in-configuration-file | Empty password in configuration file |
CWE‑285 | JavaScript | js/cors-misconfiguration-for-credentials-more-sources | CORS misconfiguration for credentials transfer with additional heuristic sources |
CWE‑285 | Python | py/pam-auth-bypass | PAM authorization bypass due to incorrect usage |
CWE‑285 | Python | py/overly-permissive-file | Overly permissive file permissions |
CWE‑285 | Ruby | rb/weak-cookie-configuration | Weak cookie configuration |
CWE‑285 | Ruby | rb/overly-permissive-file | Overly permissive file permissions |
CWE‑287 | C++ | cpp/user-controlled-bypass | Authentication bypass by spoofing |
CWE‑287 | C++ | cpp/cleartext-storage-file | Cleartext storage of sensitive information in file |
CWE‑287 | C# | cs/empty-password-in-configuration | Empty password in configuration file |
CWE‑287 | C# | cs/password-in-configuration | Password in configuration file |
CWE‑287 | C# | cs/hard-coded-symmetric-encryption-key | Hard-coded symmetric encryption key |
CWE‑287 | C# | cs/session-reuse | Failure to abandon session |
CWE‑287 | C# | cs/hardcoded-connection-string-credentials | Hard-coded connection string with credentials |
CWE‑287 | C# | cs/hardcoded-credentials | Hard-coded credentials |
CWE‑287 | C# | cs/user-controlled-bypass | User-controlled bypass of sensitive method |
CWE‑287 | C# | cs/web/broad-cookie-domain | Cookie security: overly broad domain |
CWE‑287 | C# | cs/web/broad-cookie-path | Cookie security: overly broad path |
CWE‑287 | Go | go/email-injection | Email content injection |
CWE‑287 | Go | go/hardcoded-credentials | Hard-coded credentials |
CWE‑287 | Go | go/hardcoded-key | Use of a hardcoded key for signing JWT |
CWE‑287 | Go | go/sensitive-condition-bypass | User-controlled bypassing of sensitive action |
CWE‑287 | Java | java/insecure-basic-auth | Insecure basic authentication |
CWE‑287 | Java | java/insecure-ldap-auth | Insecure LDAP authentication |
CWE‑287 | Java | java/hardcoded-credential-api-call | Hard-coded credential in API call |
CWE‑287 | Java | java/hardcoded-credential-comparison | Hard-coded credential comparison |
CWE‑287 | Java | java/hardcoded-credential-sensitive-call | Hard-coded credential in sensitive call |
CWE‑287 | Java | java/hardcoded-password-field | Hard-coded password field |
CWE‑287 | Java | java/user-controlled-bypass | User-controlled bypass of sensitive method |
CWE‑287 | Java | java/tainted-permissions-check | User-controlled data used in permissions check |
CWE‑287 | Java | java/credentials-in-properties | Cleartext Credentials in Properties File |
CWE‑287 | Java | java/password-in-configuration | Password in configuration file |
CWE‑287 | JavaScript | js/password-in-configuration-file | Password in configuration file |
CWE‑287 | JavaScript | js/session-fixation | Failure to abandon session |
CWE‑287 | JavaScript | js/host-header-forgery-in-email-generation | Host header poisoning in email generation |
CWE‑287 | JavaScript | js/missing-rate-limiting | Missing rate limiting |
CWE‑287 | JavaScript | js/hardcoded-credentials | Hard-coded credentials |
CWE‑287 | JavaScript | js/user-controlled-bypass | User-controlled bypass of security check |
CWE‑287 | JavaScript | js/different-kinds-comparison-bypass | Comparison of user-controlled data of different kinds |
CWE‑287 | JavaScript | js/empty-password-in-configuration-file | Empty password in configuration file |
CWE‑287 | JavaScript | js/user-controlled-bypass-more-sources | User-controlled bypass of security check with additional heuristic sources |
CWE‑287 | Python | py/hardcoded-credentials | Hard-coded credentials |
CWE‑287 | Python | py/flask-constant-secret-key | Initializing SECRET_KEY of Flask application with Constant value |
CWE‑287 | Python | py/improper-ldap-auth | Improper LDAP Authentication |
CWE‑287 | Python | py/insecure-ldap-auth | Python Insecure LDAP Authentication |
CWE‑287 | Ruby | rb/user-controlled-bypass | User-controlled bypass of security check |
CWE‑287 | Ruby | rb/improper-ldap-auth | Improper LDAP Authentication |
CWE‑287 | Ruby | rb/hardcoded-credentials | Hard-coded credentials |
CWE‑287 | Swift | swift/constant-password | Constant password |
CWE‑287 | Swift | swift/hardcoded-key | Hard-coded encryption key |
CWE‑290 | C++ | cpp/user-controlled-bypass | Authentication bypass by spoofing |
CWE‑290 | C# | cs/user-controlled-bypass | User-controlled bypass of sensitive method |
CWE‑290 | Go | go/sensitive-condition-bypass | User-controlled bypassing of sensitive action |
CWE‑290 | Java | java/user-controlled-bypass | User-controlled bypass of sensitive method |
CWE‑290 | Java | java/tainted-permissions-check | User-controlled data used in permissions check |
CWE‑290 | JavaScript | js/user-controlled-bypass | User-controlled bypass of security check |
CWE‑290 | JavaScript | js/different-kinds-comparison-bypass | Comparison of user-controlled data of different kinds |
CWE‑290 | JavaScript | js/user-controlled-bypass-more-sources | User-controlled bypass of security check with additional heuristic sources |
CWE‑290 | Ruby | rb/user-controlled-bypass | User-controlled bypass of security check |
CWE‑295 | C++ | cpp/certificate-result-conflation | Certificate result conflation |
CWE‑295 | C++ | cpp/certificate-not-checked | Certificate not checked |
CWE‑295 | Go | go/disabled-certificate-check | Disabled TLS certificate check |
CWE‑295 | Java | java/android/missing-certificate-pinning | Android missing certificate pinning |
CWE‑295 | Java | java/improper-webview-certificate-validation | Android WebView that accepts all certificates |
CWE‑295 | Java | java/insecure-trustmanager | TrustManager that accepts all certificates |
CWE‑295 | Java | java/insecure-smtp-ssl | Insecure JavaMail SSL Configuration |
CWE‑295 | Java | java/unsafe-hostname-verification | Unsafe hostname verification |
CWE‑295 | Java | java/jxbrowser/disabled-certificate-validation | JxBrowser with disabled certificate validation |
CWE‑295 | Java | java/ignored-hostname-verification | Ignored result of hostname verification |
CWE‑295 | Java | java/insecure-ldaps-endpoint | Insecure LDAPS Endpoint Configuration |
CWE‑295 | Java | java/disabled-certificate-revocation-checking | Disabled certificate revocation checking |
CWE‑295 | JavaScript | js/disabling-certificate-validation | Disabling certificate validation |
CWE‑295 | Python | py/paramiko-missing-host-key-validation | Accepting unknown SSH host keys when using Paramiko |
CWE‑295 | Python | py/request-without-cert-validation | Request without certificate validation |
CWE‑295 | Ruby | rb/request-without-cert-validation | Request without certificate validation |
CWE‑297 | Java | java/insecure-smtp-ssl | Insecure JavaMail SSL Configuration |
CWE‑297 | Java | java/unsafe-hostname-verification | Unsafe hostname verification |
CWE‑297 | Java | java/ignored-hostname-verification | Ignored result of hostname verification |
CWE‑297 | Java | java/insecure-ldaps-endpoint | Insecure LDAPS Endpoint Configuration |
CWE‑297 | JavaScript | js/disabling-certificate-validation | Disabling certificate validation |
CWE‑299 | Java | java/disabled-certificate-revocation-checking | Disabled certificate revocation checking |
CWE‑300 | Java | java/maven/non-https-url | Failure to use HTTPS or SFTP URL in Maven artifact upload/download |
CWE‑300 | JavaScript | js/insecure-dependency | Dependency download using unencrypted communication channel |
CWE‑300 | Ruby | rb/insecure-dependency | Dependency download using unencrypted communication channel |
CWE‑307 | JavaScript | js/missing-rate-limiting | Missing rate limiting |
CWE‑311 | C++ | cpp/cleartext-storage-buffer | Cleartext storage of sensitive information in buffer |
CWE‑311 | C++ | cpp/cleartext-storage-file | Cleartext storage of sensitive information in file |
CWE‑311 | C++ | cpp/cleartext-transmission | Cleartext transmission of sensitive information |
CWE‑311 | C++ | cpp/cleartext-storage-database | Cleartext storage of sensitive information in an SQLite database |
CWE‑311 | C++ | cpp/non-https-url | Failure to use HTTPS URLs |
CWE‑311 | C# | cs/password-in-configuration | Password in configuration file |
CWE‑311 | C# | cs/cleartext-storage-of-sensitive-information | Clear text storage of sensitive information |
CWE‑311 | C# | cs/web/requiressl-not-set | 'requireSSL' attribute is not set to true |
CWE‑311 | C# | cs/web/cookie-secure-not-set | 'Secure' attribute is not set to true |
CWE‑311 | Go | go/clear-text-logging | Clear-text logging of sensitive information |
CWE‑311 | Java | java/android/backup-enabled | Application backup allowed |
CWE‑311 | Java | java/android/cleartext-storage-database | Cleartext storage of sensitive information using a local database on Android |
CWE‑311 | Java | java/android/cleartext-storage-filesystem | Cleartext storage of sensitive information in the Android filesystem |
CWE‑311 | Java | java/cleartext-storage-in-class | Cleartext storage of sensitive information using storable class |
CWE‑311 | Java | java/cleartext-storage-in-cookie | Cleartext storage of sensitive information in cookie |
CWE‑311 | Java | java/cleartext-storage-in-properties | Cleartext storage of sensitive information using 'Properties' class |
CWE‑311 | Java | java/android/cleartext-storage-shared-prefs | Cleartext storage of sensitive information using SharedPreferences on Android |
CWE‑311 | Java | java/non-https-url | Failure to use HTTPS URLs |
CWE‑311 | Java | java/non-ssl-connection | Failure to use SSL |
CWE‑311 | Java | java/non-ssl-socket-factory | Failure to use SSL socket factories |
CWE‑311 | Java | java/insecure-basic-auth | Insecure basic authentication |
CWE‑311 | Java | java/insecure-ldap-auth | Insecure LDAP authentication |
CWE‑311 | Java | java/insecure-cookie | Failure to use secure cookies |
CWE‑311 | Java | java/maven/non-https-url | Failure to use HTTPS or SFTP URL in Maven artifact upload/download |
CWE‑311 | JavaScript | js/insecure-dependency | Dependency download using unencrypted communication channel |
CWE‑311 | JavaScript | js/build-artifact-leak | Storage of sensitive information in build artifact |
CWE‑311 | JavaScript | js/clear-text-logging | Clear-text logging of sensitive information |
CWE‑311 | JavaScript | js/clear-text-storage-of-sensitive-data | Clear text storage of sensitive information |
CWE‑311 | JavaScript | js/password-in-configuration-file | Password in configuration file |
CWE‑311 | JavaScript | js/clear-text-cookie | Clear text transmission of sensitive cookie |
CWE‑311 | Python | py/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑311 | Python | py/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑311 | Python | py/cookie-injection | Construction of a cookie using user-supplied input. |
CWE‑311 | Python | py/insecure-cookie | Failure to use secure cookies |
CWE‑311 | Ruby | rb/insecure-dependency | Dependency download using unencrypted communication channel |
CWE‑311 | Ruby | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑311 | Ruby | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑311 | Swift | swift/cleartext-storage-database | Cleartext storage of sensitive information in a local database |
CWE‑311 | Swift | swift/cleartext-transmission | Cleartext transmission of sensitive information |
CWE‑311 | Swift | swift/cleartext-logging | Cleartext logging of sensitive information |
CWE‑311 | Swift | swift/cleartext-storage-preferences | Cleartext storage of sensitive information in an application preference store |
CWE‑312 | C++ | cpp/cleartext-storage-buffer | Cleartext storage of sensitive information in buffer |
CWE‑312 | C++ | cpp/cleartext-storage-file | Cleartext storage of sensitive information in file |
CWE‑312 | C++ | cpp/cleartext-storage-database | Cleartext storage of sensitive information in an SQLite database |
CWE‑312 | C# | cs/password-in-configuration | Password in configuration file |
CWE‑312 | C# | cs/cleartext-storage-of-sensitive-information | Clear text storage of sensitive information |
CWE‑312 | Go | go/clear-text-logging | Clear-text logging of sensitive information |
CWE‑312 | Java | java/android/backup-enabled | Application backup allowed |
CWE‑312 | Java | java/android/cleartext-storage-database | Cleartext storage of sensitive information using a local database on Android |
CWE‑312 | Java | java/android/cleartext-storage-filesystem | Cleartext storage of sensitive information in the Android filesystem |
CWE‑312 | Java | java/cleartext-storage-in-class | Cleartext storage of sensitive information using storable class |
CWE‑312 | Java | java/cleartext-storage-in-cookie | Cleartext storage of sensitive information in cookie |
CWE‑312 | Java | java/cleartext-storage-in-properties | Cleartext storage of sensitive information using 'Properties' class |
CWE‑312 | Java | java/android/cleartext-storage-shared-prefs | Cleartext storage of sensitive information using SharedPreferences on Android |
CWE‑312 | JavaScript | js/build-artifact-leak | Storage of sensitive information in build artifact |
CWE‑312 | JavaScript | js/clear-text-logging | Clear-text logging of sensitive information |
CWE‑312 | JavaScript | js/clear-text-storage-of-sensitive-data | Clear text storage of sensitive information |
CWE‑312 | JavaScript | js/password-in-configuration-file | Password in configuration file |
CWE‑312 | JavaScript | js/clear-text-cookie | Clear text transmission of sensitive cookie |
CWE‑312 | Python | py/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑312 | Python | py/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑312 | Ruby | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑312 | Ruby | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑312 | Swift | swift/cleartext-storage-database | Cleartext storage of sensitive information in a local database |
CWE‑312 | Swift | swift/cleartext-logging | Cleartext logging of sensitive information |
CWE‑312 | Swift | swift/cleartext-storage-preferences | Cleartext storage of sensitive information in an application preference store |
CWE‑313 | C++ | cpp/cleartext-storage-file | Cleartext storage of sensitive information in file |
CWE‑313 | C++ | cpp/cleartext-storage-database | Cleartext storage of sensitive information in an SQLite database |
CWE‑313 | C# | cs/password-in-configuration | Password in configuration file |
CWE‑313 | Java | java/cleartext-storage-in-properties | Cleartext storage of sensitive information using 'Properties' class |
CWE‑313 | JavaScript | js/password-in-configuration-file | Password in configuration file |
CWE‑315 | C# | cs/cleartext-storage-of-sensitive-information | Clear text storage of sensitive information |
CWE‑315 | Go | go/clear-text-logging | Clear-text logging of sensitive information |
CWE‑315 | Java | java/cleartext-storage-in-cookie | Cleartext storage of sensitive information in cookie |
CWE‑315 | JavaScript | js/build-artifact-leak | Storage of sensitive information in build artifact |
CWE‑315 | JavaScript | js/clear-text-storage-of-sensitive-data | Clear text storage of sensitive information |
CWE‑315 | Python | py/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑319 | C++ | cpp/cleartext-transmission | Cleartext transmission of sensitive information |
CWE‑319 | C++ | cpp/non-https-url | Failure to use HTTPS URLs |
CWE‑319 | C# | cs/web/requiressl-not-set | 'requireSSL' attribute is not set to true |
CWE‑319 | C# | cs/web/cookie-secure-not-set | 'Secure' attribute is not set to true |
CWE‑319 | Java | java/non-https-url | Failure to use HTTPS URLs |
CWE‑319 | Java | java/non-ssl-connection | Failure to use SSL |
CWE‑319 | Java | java/non-ssl-socket-factory | Failure to use SSL socket factories |
CWE‑319 | Java | java/insecure-basic-auth | Insecure basic authentication |
CWE‑319 | Java | java/insecure-ldap-auth | Insecure LDAP authentication |
CWE‑319 | Java | java/maven/non-https-url | Failure to use HTTPS or SFTP URL in Maven artifact upload/download |
CWE‑319 | JavaScript | js/insecure-dependency | Dependency download using unencrypted communication channel |
CWE‑319 | JavaScript | js/clear-text-cookie | Clear text transmission of sensitive cookie |
CWE‑319 | Ruby | rb/insecure-dependency | Dependency download using unencrypted communication channel |
CWE‑319 | Swift | swift/cleartext-transmission | Cleartext transmission of sensitive information |
CWE‑321 | C# | cs/hard-coded-symmetric-encryption-key | Hard-coded symmetric encryption key |
CWE‑321 | C# | cs/hardcoded-connection-string-credentials | Hard-coded connection string with credentials |
CWE‑321 | C# | cs/hardcoded-credentials | Hard-coded credentials |
CWE‑321 | Go | go/hardcoded-credentials | Hard-coded credentials |
CWE‑321 | Go | go/hardcoded-key | Use of a hardcoded key for signing JWT |
CWE‑321 | JavaScript | js/hardcoded-credentials | Hard-coded credentials |
CWE‑321 | Python | py/hardcoded-credentials | Hard-coded credentials |
CWE‑321 | Ruby | rb/hardcoded-credentials | Hard-coded credentials |
CWE‑321 | Swift | swift/hardcoded-key | Hard-coded encryption key |
CWE‑322 | Go | go/insecure-hostkeycallback | Use of insecure HostKeyCallback implementation |
CWE‑326 | C++ | cpp/boost/tls-settings-misconfiguration | Boost_asio TLS Settings Misconfiguration |
CWE‑326 | C++ | cpp/insufficient-key-size | Use of a cryptographic algorithm with insufficient key size |
CWE‑326 | C# | cs/insufficient-key-size | Weak encryption: Insufficient key size |
CWE‑326 | Go | go/weak-crypto-key | Use of a weak cryptographic key |
CWE‑326 | Go | go/weak-crypto-algorithm | Use of a weak cryptographic algorithm |
CWE‑326 | Java | java/insufficient-key-size | Use of a cryptographic algorithm with insufficient key size |
CWE‑326 | Java | java/weak-cryptographic-algorithm | Use of a broken or risky cryptographic algorithm |
CWE‑326 | Java | java/potentially-weak-cryptographic-algorithm | Use of a potentially broken or risky cryptographic algorithm |
CWE‑326 | JavaScript | js/insufficient-key-size | Use of a weak cryptographic key |
CWE‑326 | JavaScript | js/weak-cryptographic-algorithm | Use of a broken or weak cryptographic algorithm |
CWE‑326 | Python | py/weak-crypto-key | Use of weak cryptographic key |
CWE‑326 | Python | py/weak-sensitive-data-hashing | Use of a broken or weak cryptographic hashing algorithm on sensitive data |
CWE‑326 | Swift | swift/weak-sensitive-data-hashing | Use of a broken or weak cryptographic hashing algorithm on sensitive data |
CWE‑327 | C++ | cpp/boost/use-of-deprecated-hardcoded-security-protocol | boost::asio Use of deprecated hardcoded Protocol |
CWE‑327 | C++ | cpp/weak-cryptographic-algorithm | Use of a broken or risky cryptographic algorithm |
CWE‑327 | C++ | cpp/openssl-heartbleed | Use of a version of OpenSSL with Heartbleed |
CWE‑327 | C# | cs/adding-cert-to-root-store | Do not add certificates to the system root store. |
CWE‑327 | C# | cs/insecure-sql-connection | Insecure SQL connection |
CWE‑327 | C# | cs/ecb-encryption | Encryption using ECB |
CWE‑327 | C# | cs/inadequate-rsa-padding | Weak encryption: inadequate RSA padding |
CWE‑327 | C# | cs/weak-encryption | Weak encryption |
CWE‑327 | C# | cs/azure-storage/unsafe-usage-of-client-side-encryption-version | Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-30187). |
CWE‑327 | Go | go/insecure-tls | Insecure TLS configuration |
CWE‑327 | Go | go/weak-crypto-algorithm | Use of a weak cryptographic algorithm |
CWE‑327 | Java | java/weak-cryptographic-algorithm | Use of a broken or risky cryptographic algorithm |
CWE‑327 | Java | java/potentially-weak-cryptographic-algorithm | Use of a potentially broken or risky cryptographic algorithm |
CWE‑327 | Java | java/rsa-without-oaep | Use of RSA algorithm without OAEP |
CWE‑327 | Java | java/azure-storage/unsafe-client-side-encryption-in-use | Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-30187). |
CWE‑327 | Java | java/unsafe-tls-version | Unsafe TLS version |
CWE‑327 | Java | java/hash-without-salt | Use of a hash function without a salt |
CWE‑327 | JavaScript | js/biased-cryptographic-random | Creating biased random numbers from a cryptographically secure source. |
CWE‑327 | JavaScript | js/weak-cryptographic-algorithm | Use of a broken or weak cryptographic algorithm |
CWE‑327 | JavaScript | js/insufficient-password-hash | Use of password hash with insufficient computational effort |
CWE‑327 | Python | py/weak-cryptographic-algorithm | Use of a broken or weak cryptographic algorithm |
CWE‑327 | Python | py/insecure-default-protocol | Default version of SSL/TLS may be insecure |
CWE‑327 | Python | py/insecure-protocol | Use of insecure SSL/TLS version |
CWE‑327 | Python | py/weak-sensitive-data-hashing | Use of a broken or weak cryptographic hashing algorithm on sensitive data |
CWE‑327 | Python | py/azure-storage/unsafe-client-side-encryption-in-use | Unsafe usage of v1 version of Azure Storage client-side encryption. |
CWE‑327 | Ruby | rb/weak-cryptographic-algorithm | Use of a broken or weak cryptographic algorithm |
CWE‑327 | Swift | swift/ecb-encryption | Encryption using ECB |
CWE‑327 | Swift | swift/weak-sensitive-data-hashing | Use of a broken or weak cryptographic hashing algorithm on sensitive data |
CWE‑327 | Swift | swift/constant-salt | Use of constant salts |
CWE‑327 | Swift | swift/insufficient-hash-iterations | Insufficient hash iterations |
CWE‑328 | Go | go/weak-crypto-algorithm | Use of a weak cryptographic algorithm |
CWE‑328 | Java | java/weak-cryptographic-algorithm | Use of a broken or risky cryptographic algorithm |
CWE‑328 | Java | java/potentially-weak-cryptographic-algorithm | Use of a potentially broken or risky cryptographic algorithm |
CWE‑328 | JavaScript | js/weak-cryptographic-algorithm | Use of a broken or weak cryptographic algorithm |
CWE‑328 | Python | py/weak-sensitive-data-hashing | Use of a broken or weak cryptographic hashing algorithm on sensitive data |
CWE‑328 | Swift | swift/weak-sensitive-data-hashing | Use of a broken or weak cryptographic hashing algorithm on sensitive data |
CWE‑329 | Java | java/static-initialization-vector | Using a static initialization vector for encryption |
CWE‑329 | Swift | swift/static-initialization-vector | Static initialization vector for encryption |
CWE‑330 | C# | cs/random-used-once | Random used only once |
CWE‑330 | C# | cs/hard-coded-symmetric-encryption-key | Hard-coded symmetric encryption key |
CWE‑330 | C# | cs/hardcoded-connection-string-credentials | Hard-coded connection string with credentials |
CWE‑330 | C# | cs/hardcoded-credentials | Hard-coded credentials |
CWE‑330 | C# | cs/insecure-randomness | Insecure randomness |
CWE‑330 | Go | go/insecure-randomness | Use of insufficient randomness as the key of a cryptographic algorithm |
CWE‑330 | Go | go/hardcoded-credentials | Hard-coded credentials |
CWE‑330 | Go | go/hardcoded-key | Use of a hardcoded key for signing JWT |
CWE‑330 | Java | java/random-used-once | Random used only once |
CWE‑330 | Java | java/static-initialization-vector | Using a static initialization vector for encryption |
CWE‑330 | Java | java/predictable-seed | Use of a predictable seed in a secure random number generator |
CWE‑330 | Java | java/jhipster-prng | Detect JHipster Generator Vulnerability CVE-2019-16303 |
CWE‑330 | Java | java/hardcoded-credential-api-call | Hard-coded credential in API call |
CWE‑330 | Java | java/hardcoded-credential-comparison | Hard-coded credential comparison |
CWE‑330 | Java | java/hardcoded-credential-sensitive-call | Hard-coded credential in sensitive call |
CWE‑330 | Java | java/hardcoded-password-field | Hard-coded password field |
CWE‑330 | JavaScript | js/insecure-randomness | Insecure randomness |
CWE‑330 | JavaScript | js/hardcoded-credentials | Hard-coded credentials |
CWE‑330 | JavaScript | js/predictable-token | Predictable token |
CWE‑330 | Python | py/hardcoded-credentials | Hard-coded credentials |
CWE‑330 | Python | py/insecure-randomness | Insecure randomness |
CWE‑330 | Python | py/predictable-token | Predictable token |
CWE‑330 | Ruby | rb/hardcoded-credentials | Hard-coded credentials |
CWE‑330 | Swift | swift/static-initialization-vector | Static initialization vector for encryption |
CWE‑330 | Swift | swift/constant-password | Constant password |
CWE‑330 | Swift | swift/hardcoded-key | Hard-coded encryption key |
CWE‑335 | C# | cs/random-used-once | Random used only once |
CWE‑335 | Java | java/random-used-once | Random used only once |
CWE‑335 | Java | java/predictable-seed | Use of a predictable seed in a secure random number generator |
CWE‑337 | Java | java/predictable-seed | Use of a predictable seed in a secure random number generator |
CWE‑338 | C# | cs/insecure-randomness | Insecure randomness |
CWE‑338 | Go | go/insecure-randomness | Use of insufficient randomness as the key of a cryptographic algorithm |
CWE‑338 | Java | java/jhipster-prng | Detect JHipster Generator Vulnerability CVE-2019-16303 |
CWE‑338 | JavaScript | js/insecure-randomness | Insecure randomness |
CWE‑338 | Python | py/insecure-randomness | Insecure randomness |
CWE‑340 | JavaScript | js/predictable-token | Predictable token |
CWE‑340 | Python | py/predictable-token | Predictable token |
CWE‑344 | C# | cs/hard-coded-symmetric-encryption-key | Hard-coded symmetric encryption key |
CWE‑344 | C# | cs/hardcoded-connection-string-credentials | Hard-coded connection string with credentials |
CWE‑344 | C# | cs/hardcoded-credentials | Hard-coded credentials |
CWE‑344 | Go | go/hardcoded-credentials | Hard-coded credentials |
CWE‑344 | Go | go/hardcoded-key | Use of a hardcoded key for signing JWT |
CWE‑344 | Java | java/hardcoded-credential-api-call | Hard-coded credential in API call |
CWE‑344 | Java | java/hardcoded-credential-comparison | Hard-coded credential comparison |
CWE‑344 | Java | java/hardcoded-credential-sensitive-call | Hard-coded credential in sensitive call |
CWE‑344 | Java | java/hardcoded-password-field | Hard-coded password field |
CWE‑344 | JavaScript | js/hardcoded-credentials | Hard-coded credentials |
CWE‑344 | Python | py/hardcoded-credentials | Hard-coded credentials |
CWE‑344 | Ruby | rb/hardcoded-credentials | Hard-coded credentials |
CWE‑344 | Swift | swift/constant-password | Constant password |
CWE‑344 | Swift | swift/hardcoded-key | Hard-coded encryption key |
CWE‑345 | C++ | cpp/non-https-url | Failure to use HTTPS URLs |
CWE‑345 | C# | cs/web/missing-token-validation | Missing cross-site request forgery token validation |
CWE‑345 | Go | go/constant-oauth2-state | Use of constant state value in OAuth 2.0 URL |
CWE‑345 | Go | go/cors-misconfiguration | CORS misconfiguration |
CWE‑345 | Java | java/missing-jwt-signature-check | Missing JWT signature check |
CWE‑345 | Java | java/spring-disabled-csrf-protection | Disabled Spring CSRF protection |
CWE‑345 | Java | java/unvalidated-cors-origin-set | CORS is derived from untrusted input |
CWE‑345 | Java | java/ip-address-spoofing | IP address spoofing |
CWE‑345 | Java | java/jsonp-injection | JSONP Injection |
CWE‑345 | JavaScript | js/cors-misconfiguration-for-credentials | CORS misconfiguration for credentials transfer |
CWE‑345 | JavaScript | js/jwt-missing-verification | JWT missing secret or public key verification |
CWE‑345 | JavaScript | js/missing-token-validation | Missing CSRF middleware |
CWE‑345 | JavaScript | js/cors-misconfiguration-for-credentials-more-sources | CORS misconfiguration for credentials transfer with additional heuristic sources |
CWE‑345 | Python | py/csrf-protection-disabled | CSRF protection weakened or disabled |
CWE‑345 | Python | py/jwt-missing-verification | JWT missing secret or public key verification |
CWE‑345 | Python | py/ip-address-spoofing | IP address spoofing |
CWE‑345 | Ruby | rb/csrf-protection-disabled | CSRF protection weakened or disabled |
CWE‑346 | Go | go/cors-misconfiguration | CORS misconfiguration |
CWE‑346 | Java | java/unvalidated-cors-origin-set | CORS is derived from untrusted input |
CWE‑346 | JavaScript | js/cors-misconfiguration-for-credentials | CORS misconfiguration for credentials transfer |
CWE‑346 | JavaScript | js/cors-misconfiguration-for-credentials-more-sources | CORS misconfiguration for credentials transfer with additional heuristic sources |
CWE‑347 | Java | java/missing-jwt-signature-check | Missing JWT signature check |
CWE‑347 | JavaScript | js/jwt-missing-verification | JWT missing secret or public key verification |
CWE‑347 | Python | py/jwt-missing-verification | JWT missing secret or public key verification |
CWE‑348 | Java | java/ip-address-spoofing | IP address spoofing |
CWE‑348 | Python | py/ip-address-spoofing | IP address spoofing |
CWE‑350 | C# | cs/user-controlled-bypass | User-controlled bypass of sensitive method |
CWE‑350 | Go | go/sensitive-condition-bypass | User-controlled bypassing of sensitive action |
CWE‑352 | C# | cs/web/missing-token-validation | Missing cross-site request forgery token validation |
CWE‑352 | Go | go/constant-oauth2-state | Use of constant state value in OAuth 2.0 URL |
CWE‑352 | Java | java/spring-disabled-csrf-protection | Disabled Spring CSRF protection |
CWE‑352 | Java | java/jsonp-injection | JSONP Injection |
CWE‑352 | JavaScript | js/missing-token-validation | Missing CSRF middleware |
CWE‑352 | Python | py/csrf-protection-disabled | CSRF protection weakened or disabled |
CWE‑352 | Ruby | rb/csrf-protection-disabled | CSRF protection weakened or disabled |
CWE‑359 | C++ | cpp/cleartext-transmission | Cleartext transmission of sensitive information |
CWE‑359 | C++ | cpp/private-cleartext-write | Exposure of private information |
CWE‑359 | C# | cs/cleartext-storage-of-sensitive-information | Clear text storage of sensitive information |
CWE‑359 | C# | cs/exposure-of-sensitive-information | Exposure of private information |
CWE‑359 | Go | go/clear-text-logging | Clear-text logging of sensitive information |
CWE‑359 | JavaScript | js/cross-window-information-leak | Cross-window communication with unrestricted target origin |
CWE‑359 | JavaScript | js/build-artifact-leak | Storage of sensitive information in build artifact |
CWE‑359 | JavaScript | js/clear-text-logging | Clear-text logging of sensitive information |
CWE‑359 | JavaScript | js/clear-text-storage-of-sensitive-data | Clear text storage of sensitive information |
CWE‑359 | Python | py/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑359 | Python | py/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑359 | Ruby | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑359 | Ruby | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑359 | Swift | swift/cleartext-logging | Cleartext logging of sensitive information |
CWE‑362 | C++ | cpp/toctou-race-condition | Time-of-check time-of-use filesystem race condition |
CWE‑362 | C++ | cpp/linux-kernel-double-fetch-vulnerability | Linux kernel double-fetch vulnerability detection |
CWE‑362 | C# | cs/unsafe-sync-on-field | Futile synchronization on field |
CWE‑362 | C# | cs/unsynchronized-static-access | Unsynchronized access to static collection member in non-static context |
CWE‑362 | C# | cs/thread-unsafe-icryptotransform-field-in-class | Thread-unsafe use of a static ICryptoTransform field |
CWE‑362 | C# | cs/thread-unsafe-icryptotransform-captured-in-lambda | Thread-unsafe capturing of an ICryptoTransform object |
CWE‑362 | Java | java/toctou-race-condition | Time-of-check time-of-use race condition |
CWE‑362 | Java | java/socket-auth-race-condition | Race condition in socket authentication |
CWE‑362 | JavaScript | js/file-system-race | Potential file system race condition |
CWE‑366 | C# | cs/unsafe-sync-on-field | Futile synchronization on field |
CWE‑367 | C++ | cpp/toctou-race-condition | Time-of-check time-of-use filesystem race condition |
CWE‑367 | Java | java/toctou-race-condition | Time-of-check time-of-use race condition |
CWE‑367 | JavaScript | js/file-system-race | Potential file system race condition |
CWE‑369 | C++ | cpp/divide-by-zero-using-return-value | Divide by zero using return value |
CWE‑369 | Go | go/divide-by-zero | Divide by zero |
CWE‑377 | C++ | cpp/insecure-generation-of-filename | Insecure generation of filenames. |
CWE‑377 | JavaScript | js/insecure-temporary-file | Insecure temporary file |
CWE‑377 | Python | py/insecure-temporary-file | Insecure temporary file |
CWE‑378 | JavaScript | js/insecure-temporary-file | Insecure temporary file |
CWE‑382 | Java | java/ejb/container-interference | EJB interferes with container operation |
CWE‑382 | Java | java/jvm-exit | Forcible JVM termination |
CWE‑383 | Java | java/ejb/threads | EJB uses threads |
CWE‑384 | C# | cs/session-reuse | Failure to abandon session |
CWE‑384 | JavaScript | js/session-fixation | Failure to abandon session |
CWE‑390 | C++ | cpp/operator-find-incorrectly-used-exceptions | Operator Find Incorrectly Used Exceptions |
CWE‑390 | C# | cs/empty-catch-block | Poor error handling: empty catch block |
CWE‑390 | Python | py/empty-except | Empty except |
CWE‑391 | C# | cs/empty-catch-block | Poor error handling: empty catch block |
CWE‑391 | Java | java/discarded-exception | Discarded exception |
CWE‑391 | Java | java/ignored-error-status-of-call | Ignored error status of call |
CWE‑395 | C# | cs/catch-nullreferenceexception | Poor error handling: catch of NullReferenceException |
CWE‑396 | C# | cs/catch-of-all-exceptions | Generic catch clause |
CWE‑396 | Java | java/overly-general-catch | Overly-general catch clause |
CWE‑396 | Python | py/catch-base-exception | Except block handles 'BaseException' |
CWE‑398 | C++ | cpp/unused-local-variable | Unused local variable |
CWE‑398 | C++ | cpp/unused-static-function | Unused static function |
CWE‑398 | C++ | cpp/unused-static-variable | Unused static variable |
CWE‑398 | C++ | cpp/dead-code-condition | Branching condition always evaluates to same value |
CWE‑398 | C++ | cpp/dead-code-function | Function is never called |
CWE‑398 | C++ | cpp/dead-code-goto | Dead code due to goto or break statement |
CWE‑398 | C++ | cpp/inconsistent-nullness-testing | Inconsistent null check of pointer |
CWE‑398 | C++ | cpp/missing-null-test | Returned pointer not checked |
CWE‑398 | C++ | cpp/unused-variable | Variable is assigned a value that is never read |
CWE‑398 | C++ | cpp/fixme-comment | FIXME comment |
CWE‑398 | C++ | cpp/todo-comment | TODO comment |
CWE‑398 | C++ | cpp/inconsistent-null-check | Inconsistent nullness check |
CWE‑398 | C++ | cpp/useless-expression | Expression has no effect |
CWE‑398 | C++ | cpp/bad-strncpy-size | Possibly wrong buffer size in string copy |
CWE‑398 | C++ | cpp/suspicious-call-to-memset | Suspicious call to memset |
CWE‑398 | C++ | cpp/unsafe-strncat | Potentially unsafe call to strncat |
CWE‑398 | C++ | cpp/unsafe-strcat | Potentially unsafe use of strcat |
CWE‑398 | C++ | cpp/redundant-null-check-simple | Redundant null check due to previous dereference |
CWE‑398 | C++ | cpp/incorrect-allocation-error-handling | Incorrect allocation-error handling |
CWE‑398 | C++ | cpp/dangerous-function-overflow | Use of dangerous function |
CWE‑398 | C++ | cpp/dangerous-cin | Dangerous use of 'cin' |
CWE‑398 | C++ | cpp/potentially-dangerous-function | Use of potentially dangerous function |
CWE‑398 | C++ | cpp/redundant-null-check-param | Redundant null check or missing null check of parameter |
CWE‑398 | C++ | cpp/dangerous-use-of-exception-blocks | Dangerous use of exception blocks. |
CWE‑398 | C++ | cpp/operator-find-incorrectly-used-switch | Incorrect switch statement |
CWE‑398 | C# | cs/call-to-obsolete-method | Call to obsolete method |
CWE‑398 | C# | cs/todo-comment | TODO comment |
CWE‑398 | C# | cs/dereferenced-value-is-always-null | Dereferenced variable is always null |
CWE‑398 | C# | cs/dereferenced-value-may-be-null | Dereferenced variable may be null |
CWE‑398 | C# | cs/unused-reftype | Dead reference types |
CWE‑398 | C# | cs/useless-assignment-to-local | Useless assignment to local variable |
CWE‑398 | C# | cs/unused-field | Unused field |
CWE‑398 | C# | cs/unused-method | Unused method |
CWE‑398 | C# | cs/useless-cast-to-self | Cast to same type |
CWE‑398 | C# | cs/useless-is-before-as | Useless 'is' before 'as' |
CWE‑398 | C# | cs/coalesce-of-identical-expressions | Useless ?? expression |
CWE‑398 | C# | cs/useless-type-test | Useless type test |
CWE‑398 | C# | cs/useless-upcast | Useless upcast |
CWE‑398 | C# | cs/empty-collection | Container contents are never initialized |
CWE‑398 | C# | cs/unused-collection | Container contents are never accessed |
CWE‑398 | C# | cs/empty-lock-statement | Empty lock statement |
CWE‑398 | C# | cs/linq/useless-select | Redundant Select |
CWE‑398 | Go | go/comparison-of-identical-expressions | Comparison of identical values |
CWE‑398 | Go | go/useless-assignment-to-field | Useless assignment to field |
CWE‑398 | Go | go/useless-assignment-to-local | Useless assignment to local variable |
CWE‑398 | Go | go/duplicate-branches | Duplicate 'if' branches |
CWE‑398 | Go | go/duplicate-condition | Duplicate 'if' condition |
CWE‑398 | Go | go/duplicate-switch-case | Duplicate switch case |
CWE‑398 | Go | go/useless-expression | Expression has no effect |
CWE‑398 | Go | go/redundant-operation | Identical operands |
CWE‑398 | Go | go/redundant-assignment | Self assignment |
CWE‑398 | Go | go/unreachable-statement | Unreachable statement |
CWE‑398 | Go | go/pam-auth-bypass | PAM authorization bypass due to incorrect usage |
CWE‑398 | Java | java/deprecated-call | Deprecated method or constructor invocation |
CWE‑398 | Java | java/dead-class | Dead class |
CWE‑398 | Java | java/dead-enum-constant | Dead enum constant |
CWE‑398 | Java | java/dead-field | Dead field |
CWE‑398 | Java | java/dead-function | Dead method |
CWE‑398 | Java | java/lines-of-dead-code | Lines of dead code in files |
CWE‑398 | Java | java/unused-parameter | Useless parameter |
CWE‑398 | Java | java/useless-null-check | Useless null check |
CWE‑398 | Java | java/useless-type-test | Useless type test |
CWE‑398 | Java | java/useless-upcast | Useless upcast |
CWE‑398 | Java | java/empty-container | Container contents are never initialized |
CWE‑398 | Java | java/unused-container | Container contents are never accessed |
CWE‑398 | Java | java/constant-comparison | Useless comparison test |
CWE‑398 | Java | java/dereferenced-value-is-always-null | Dereferenced variable is always null |
CWE‑398 | Java | java/dereferenced-expr-may-be-null | Dereferenced expression may be null |
CWE‑398 | Java | java/dereferenced-value-may-be-null | Dereferenced variable may be null |
CWE‑398 | Java | java/empty-synchronized-block | Empty synchronized block |
CWE‑398 | Java | java/unreachable-catch-clause | Unreachable catch clause |
CWE‑398 | Java | java/potentially-dangerous-function | Use of a potentially dangerous function |
CWE‑398 | Java | java/todo-comment | TODO/FIXME comments |
CWE‑398 | Java | java/unused-reference-type | Unused classes and interfaces |
CWE‑398 | Java | java/overwritten-assignment-to-local | Assigned value is overwritten |
CWE‑398 | Java | java/useless-assignment-to-local | Useless assignment to local variable |
CWE‑398 | Java | java/unused-initialized-local | Local variable is initialized but not used |
CWE‑398 | Java | java/local-variable-is-never-read | Unread local variable |
CWE‑398 | Java | java/unused-field | Unused field |
CWE‑398 | Java | java/unused-label | Unused label |
CWE‑398 | Java | java/unused-local-variable | Unused local variable |
CWE‑398 | Java | java/switch-fall-through | Unterminated switch case |
CWE‑398 | Java | java/redundant-cast | Unnecessary cast |
CWE‑398 | Java | java/unused-import | Unnecessary import |
CWE‑398 | JavaScript | js/todo-comment | TODO comment |
CWE‑398 | JavaScript | js/eval-like-call | Call to eval-like DOM function |
CWE‑398 | JavaScript | js/variable-initialization-conflict | Conflicting variable initialization |
CWE‑398 | JavaScript | js/function-declaration-conflict | Conflicting function declarations |
CWE‑398 | JavaScript | js/useless-assignment-to-global | Useless assignment to global variable |
CWE‑398 | JavaScript | js/useless-assignment-to-local | Useless assignment to local variable |
CWE‑398 | JavaScript | js/overwritten-property | Overwritten property |
CWE‑398 | JavaScript | js/comparison-of-identical-expressions | Comparison of identical values |
CWE‑398 | JavaScript | js/comparison-with-nan | Comparison with NaN |
CWE‑398 | JavaScript | js/duplicate-condition | Duplicate 'if' condition |
CWE‑398 | JavaScript | js/duplicate-property | Duplicate property |
CWE‑398 | JavaScript | js/duplicate-switch-case | Duplicate switch case |
CWE‑398 | JavaScript | js/useless-expression | Expression has no effect |
CWE‑398 | JavaScript | js/comparison-between-incompatible-types | Comparison between inconvertible types |
CWE‑398 | JavaScript | js/redundant-operation | Identical operands |
CWE‑398 | JavaScript | js/redundant-assignment | Self assignment |
CWE‑398 | JavaScript | js/call-to-non-callable | Invocation of non-function |
CWE‑398 | JavaScript | js/property-access-on-non-object | Property access on null or undefined |
CWE‑398 | JavaScript | js/unneeded-defensive-code | Unneeded defensive code |
CWE‑398 | JavaScript | js/useless-type-test | Useless type test |
CWE‑398 | JavaScript | js/eval-call | Use of eval |
CWE‑398 | JavaScript | js/node/assignment-to-exports-variable | Assignment to exports variable |
CWE‑398 | JavaScript | js/regex/unmatchable-caret | Unmatchable caret in regular expression |
CWE‑398 | JavaScript | js/regex/unmatchable-dollar | Unmatchable dollar in regular expression |
CWE‑398 | JavaScript | js/useless-assignment-in-return | Return statement assigns local variable |
CWE‑398 | JavaScript | js/unreachable-statement | Unreachable statement |
CWE‑398 | JavaScript | js/trivial-conditional | Useless conditional |
CWE‑398 | Python | py/unreachable-except | Unreachable 'except' block |
CWE‑398 | Python | py/comparison-of-constants | Comparison of constants |
CWE‑398 | Python | py/comparison-of-identical-expressions | Comparison of identical values |
CWE‑398 | Python | py/comparison-missing-self | Maybe missing 'self' in comparison |
CWE‑398 | Python | py/redundant-comparison | Redundant comparison |
CWE‑398 | Python | py/duplicate-key-dict-literal | Duplicate key in dict literal |
CWE‑398 | Python | py/import-deprecated-module | Import of deprecated module |
CWE‑398 | Python | py/constant-conditional-expression | Constant in conditional expression or statement |
CWE‑398 | Python | py/redundant-assignment | Redundant assignment |
CWE‑398 | Python | py/ineffectual-statement | Statement has no effect |
CWE‑398 | Python | py/unreachable-statement | Unreachable code |
CWE‑398 | Python | py/multiple-definition | Variable defined multiple times |
CWE‑398 | Python | py/unused-local-variable | Unused local variable |
CWE‑398 | Python | py/unused-global-variable | Unused global variable |
CWE‑398 | Ruby | rb/useless-assignment-to-local | Useless assignment to local variable |
CWE‑398 | Ruby | rb/unused-parameter | Unused parameter. |
CWE‑400 | C++ | cpp/catch-missing-free | Leaky catch |
CWE‑400 | C++ | cpp/descriptor-may-not-be-closed | Open descriptor may not be closed |
CWE‑400 | C++ | cpp/descriptor-never-closed | Open descriptor never closed |
CWE‑400 | C++ | cpp/file-may-not-be-closed | Open file may not be closed |
CWE‑400 | C++ | cpp/file-never-closed | Open file is not closed |
CWE‑400 | C++ | cpp/memory-may-not-be-freed | Memory may not be freed |
CWE‑400 | C++ | cpp/memory-never-freed | Memory is never freed |
CWE‑400 | C++ | cpp/new-free-mismatch | Mismatching new/free or malloc/delete |
CWE‑400 | C++ | cpp/alloca-in-loop | Call to alloca in a loop |
CWE‑400 | C++ | cpp/uncontrolled-allocation-size | Overflow in uncontrolled allocation size |
CWE‑400 | C++ | cpp/memory-leak-on-failed-call-to-realloc | Memory leak on failed call to realloc |
CWE‑400 | C# | cs/redos | Denial of Service from comparison of user input against expensive regex |
CWE‑400 | C# | cs/regex-injection | Regular expression injection |
CWE‑400 | Java | java/input-resource-leak | Potential input resource leak |
CWE‑400 | Java | java/database-resource-leak | Potential database resource leak |
CWE‑400 | Java | java/output-resource-leak | Potential output resource leak |
CWE‑400 | Java | java/polynomial-redos | Polynomial regular expression used on uncontrolled data |
CWE‑400 | Java | java/redos | Inefficient regular expression |
CWE‑400 | Java | java/regex-injection | Regular expression injection |
CWE‑400 | Java | java/log4j-injection | Potential Log4J LDAP JNDI injection (CVE-2021-44228) |
CWE‑400 | Java | java/local-thread-resource-abuse | Uncontrolled thread resource consumption from local input source |
CWE‑400 | Java | java/thread-resource-abuse | Uncontrolled thread resource consumption |
CWE‑400 | JavaScript | js/polynomial-redos | Polynomial regular expression used on uncontrolled data |
CWE‑400 | JavaScript | js/redos | Inefficient regular expression |
CWE‑400 | JavaScript | js/resource-exhaustion-from-deep-object-traversal | Resources exhaustion from deep object traversal |
CWE‑400 | JavaScript | js/remote-property-injection | Remote property injection |
CWE‑400 | JavaScript | js/regex-injection | Regular expression injection |
CWE‑400 | JavaScript | js/missing-rate-limiting | Missing rate limiting |
CWE‑400 | JavaScript | js/resource-exhaustion | Resource exhaustion |
CWE‑400 | JavaScript | js/xml-bomb | XML internal entity expansion |
CWE‑400 | JavaScript | js/prototype-polluting-assignment | Prototype-polluting assignment |
CWE‑400 | JavaScript | js/prototype-pollution-utility | Prototype-polluting function |
CWE‑400 | JavaScript | js/prototype-pollution | Prototype-polluting merge call |
CWE‑400 | JavaScript | js/remote-property-injection-more-sources | Remote property injection with additional heuristic sources |
CWE‑400 | JavaScript | js/regex-injection-more-sources | Regular expression injection with additional heuristic sources |
CWE‑400 | JavaScript | js/resource-exhaustion-more-sources | Resource exhaustion with additional heuristic sources |
CWE‑400 | JavaScript | js/xml-bomb-more-sources | XML internal entity expansion with additional heuristic sources |
CWE‑400 | JavaScript | js/prototype-polluting-assignment-more-sources | Prototype-polluting assignment with additional heuristic sources |
CWE‑400 | Python | py/file-not-closed | File is not always closed |
CWE‑400 | Python | py/polynomial-redos | Polynomial regular expression used on uncontrolled data |
CWE‑400 | Python | py/redos | Inefficient regular expression |
CWE‑400 | Python | py/regex-injection | Regular expression injection |
CWE‑400 | Python | py/xml-bomb | XML internal entity expansion |
CWE‑400 | Ruby | rb/polynomial-redos | Polynomial regular expression used on uncontrolled data |
CWE‑400 | Ruby | rb/redos | Inefficient regular expression |
CWE‑400 | Ruby | rb/regexp-injection | Regular expression injection |
CWE‑400 | Swift | swift/redos | Inefficient regular expression |
CWE‑400 | Swift | swift/regex-injection | Regular expression injection |
CWE‑401 | C++ | cpp/catch-missing-free | Leaky catch |
CWE‑401 | C++ | cpp/memory-may-not-be-freed | Memory may not be freed |
CWE‑401 | C++ | cpp/memory-never-freed | Memory is never freed |
CWE‑401 | C++ | cpp/new-free-mismatch | Mismatching new/free or malloc/delete |
CWE‑401 | C++ | cpp/memory-leak-on-failed-call-to-realloc | Memory leak on failed call to realloc |
CWE‑404 | C++ | cpp/catch-missing-free | Leaky catch |
CWE‑404 | C++ | cpp/descriptor-may-not-be-closed | Open descriptor may not be closed |
CWE‑404 | C++ | cpp/descriptor-never-closed | Open descriptor never closed |
CWE‑404 | C++ | cpp/file-may-not-be-closed | Open file may not be closed |
CWE‑404 | C++ | cpp/file-never-closed | Open file is not closed |
CWE‑404 | C++ | cpp/memory-may-not-be-freed | Memory may not be freed |
CWE‑404 | C++ | cpp/memory-never-freed | Memory is never freed |
CWE‑404 | C++ | cpp/new-free-mismatch | Mismatching new/free or malloc/delete |
CWE‑404 | C++ | cpp/memory-leak-on-failed-call-to-realloc | Memory leak on failed call to realloc |
CWE‑404 | C++ | cpp/resource-not-released-in-destructor | Resource not released in destructor |
CWE‑404 | C# | cs/dispose-not-called-on-throw | Dispose may not be called if an exception is thrown during execution |
CWE‑404 | C# | cs/member-not-disposed | Missing Dispose call |
CWE‑404 | C# | cs/missing-dispose-method | Missing Dispose method |
CWE‑404 | C# | cs/local-not-disposed | Missing Dispose call on local IDisposable |
CWE‑404 | Java | java/missing-super-finalize | Finalizer inconsistency |
CWE‑404 | Java | java/input-resource-leak | Potential input resource leak |
CWE‑404 | Java | java/database-resource-leak | Potential database resource leak |
CWE‑404 | Java | java/output-resource-leak | Potential output resource leak |
CWE‑404 | Java | java/empty-finalizer | Empty body of finalizer |
CWE‑404 | Java | java/disabled-certificate-revocation-checking | Disabled certificate revocation checking |
CWE‑404 | Python | py/file-not-closed | File is not always closed |
CWE‑405 | C# | cs/xml/insecure-dtd-handling | Untrusted XML is read insecurely |
CWE‑405 | C# | cs/insecure-xml-read | XML is read insecurely |
CWE‑405 | Java | java/xxe | Resolving XML external entity in user-controlled data |
CWE‑405 | Java | java/xxe-local | Resolving XML external entity in user-controlled data from local source |
CWE‑405 | JavaScript | js/xml-bomb | XML internal entity expansion |
CWE‑405 | JavaScript | js/xml-bomb-more-sources | XML internal entity expansion with additional heuristic sources |
CWE‑405 | Python | py/xml-bomb | XML internal entity expansion |
CWE‑405 | Python | py/simple-xml-rpc-server-dos | SimpleXMLRPCServer denial of service |
CWE‑405 | Ruby | rb/user-controlled-file-decompression | User-controlled file decompression |
CWE‑405 | Ruby | rb/xxe | XML external entity expansion |
CWE‑405 | Swift | swift/xxe | Resolving XML external entity in user-controlled data |
CWE‑409 | C# | cs/xml/insecure-dtd-handling | Untrusted XML is read insecurely |
CWE‑409 | C# | cs/insecure-xml-read | XML is read insecurely |
CWE‑409 | Java | java/xxe | Resolving XML external entity in user-controlled data |
CWE‑409 | Java | java/xxe-local | Resolving XML external entity in user-controlled data from local source |
CWE‑409 | JavaScript | js/xml-bomb | XML internal entity expansion |
CWE‑409 | JavaScript | js/xml-bomb-more-sources | XML internal entity expansion with additional heuristic sources |
CWE‑409 | Python | py/xml-bomb | XML internal entity expansion |
CWE‑409 | Python | py/simple-xml-rpc-server-dos | SimpleXMLRPCServer denial of service |
CWE‑409 | Ruby | rb/user-controlled-file-decompression | User-controlled file decompression |
CWE‑409 | Ruby | rb/xxe | XML external entity expansion |
CWE‑409 | Swift | swift/xxe | Resolving XML external entity in user-controlled data |
CWE‑413 | Java | java/unsynchronized-getter | Inconsistent synchronization of getter and setter |
CWE‑415 | C++ | cpp/double-free | Potential double free |
CWE‑415 | C++ | cpp/experimental-double-free | Errors When Double Free |
CWE‑415 | C++ | cpp/dangerous-use-of-exception-blocks | Dangerous use of exception blocks. |
CWE‑416 | C++ | cpp/use-after-free | Potential use after free |
CWE‑420 | Java | java/socket-auth-race-condition | Race condition in socket authentication |
CWE‑421 | Java | java/socket-auth-race-condition | Race condition in socket authentication |
CWE‑428 | C++ | cpp/unsafe-create-process-call | NULL application name with an unquoted path in call to CreateProcess |
CWE‑434 | C# | cs/web/file-upload | Use of file upload |
CWE‑434 | JavaScript | js/http-to-file-access | Network data written to file |
CWE‑434 | Ruby | rb/http-to-file-access | Network data written to file |
CWE‑435 | C++ | cpp/memset-may-be-deleted | Call to memset may be deleted |
CWE‑435 | JavaScript | js/insecure-http-parser | Insecure http parser |
CWE‑436 | JavaScript | js/insecure-http-parser | Insecure http parser |
CWE‑441 | C# | cs/request-forgery | Server-side request forgery |
CWE‑441 | Go | go/request-forgery | Uncontrolled data used in network request |
CWE‑441 | Go | go/ssrf | Uncontrolled data used in network request |
CWE‑441 | Java | java/android/unsafe-content-uri-resolution | Uncontrolled data used in content resolution |
CWE‑441 | Java | java/ssrf | Server-side request forgery |
CWE‑441 | JavaScript | js/client-side-request-forgery | Client-side request forgery |
CWE‑441 | JavaScript | js/request-forgery | Server-side request forgery |
CWE‑441 | JavaScript | javascript/ssrf | Uncontrolled data used in network request |
CWE‑441 | Python | py/full-ssrf | Full server-side request forgery |
CWE‑441 | Python | py/partial-ssrf | Partial server-side request forgery |
CWE‑441 | Ruby | rb/request-forgery | Server-side request forgery |
CWE‑444 | JavaScript | js/insecure-http-parser | Insecure http parser |
CWE‑451 | C# | cs/web/missing-x-frame-options | Missing X-Frame-Options HTTP header |
CWE‑451 | JavaScript | js/missing-x-frame-options | Missing X-Frame-Options HTTP header |
CWE‑456 | C++ | cpp/initialization-not-run | Initialization code not run |
CWE‑457 | C++ | cpp/global-use-before-init | Global variable may be used before initialization |
CWE‑457 | C++ | cpp/not-initialised | Variable not initialized before use |
CWE‑457 | C++ | cpp/uninitialized-local | Potentially uninitialized local variable |
CWE‑457 | C++ | cpp/conditionally-uninitialized-variable | Conditionally uninitialized variable |
CWE‑457 | C# | cs/unassigned-field | Field is never assigned a non-default value |
CWE‑457 | Java | java/unassigned-field | Field is never assigned a non-null value |
CWE‑459 | C# | cs/dispose-not-called-on-throw | Dispose may not be called if an exception is thrown during execution |
CWE‑459 | C# | cs/member-not-disposed | Missing Dispose call |
CWE‑459 | C# | cs/missing-dispose-method | Missing Dispose method |
CWE‑459 | C# | cs/local-not-disposed | Missing Dispose call on local IDisposable |
CWE‑459 | Java | java/missing-super-finalize | Finalizer inconsistency |
CWE‑459 | Java | java/empty-finalizer | Empty body of finalizer |
CWE‑460 | C# | cs/dispose-not-called-on-throw | Dispose may not be called if an exception is thrown during execution |
CWE‑460 | C# | cs/local-not-disposed | Missing Dispose call on local IDisposable |
CWE‑467 | C++ | cpp/suspicious-sizeof | Suspicious 'sizeof' use |
CWE‑468 | C++ | cpp/suspicious-pointer-scaling | Suspicious pointer scaling |
CWE‑468 | C++ | cpp/incorrect-pointer-scaling-char | Suspicious pointer scaling to char |
CWE‑468 | C++ | cpp/suspicious-pointer-scaling-void | Suspicious pointer scaling to void |
CWE‑468 | C++ | cpp/suspicious-add-sizeof | Suspicious add with sizeof |
CWE‑470 | Java | java/android/fragment-injection | Android fragment injection |
CWE‑470 | Java | java/android/fragment-injection-preference-activity | Android fragment injection in PreferenceActivity |
CWE‑470 | Java | java/unsafe-reflection | Use of externally-controlled input to select classes or code ('unsafe reflection') |
CWE‑471 | C# | cs/web/html-hidden-input | Use of HTMLInputHidden |
CWE‑471 | JavaScript | js/prototype-polluting-assignment | Prototype-polluting assignment |
CWE‑471 | JavaScript | js/prototype-pollution-utility | Prototype-polluting function |
CWE‑471 | JavaScript | js/prototype-pollution | Prototype-polluting merge call |
CWE‑471 | JavaScript | js/prototype-polluting-assignment-more-sources | Prototype-polluting assignment with additional heuristic sources |
CWE‑472 | C# | cs/web/html-hidden-input | Use of HTMLInputHidden |
CWE‑476 | C++ | cpp/inconsistent-nullness-testing | Inconsistent null check of pointer |
CWE‑476 | C++ | cpp/missing-null-test | Returned pointer not checked |
CWE‑476 | C++ | cpp/inconsistent-null-check | Inconsistent nullness check |
CWE‑476 | C++ | cpp/redundant-null-check-simple | Redundant null check due to previous dereference |
CWE‑476 | C++ | cpp/redundant-null-check-param | Redundant null check or missing null check of parameter |
CWE‑476 | C++ | cpp/dangerous-use-of-exception-blocks | Dangerous use of exception blocks. |
CWE‑476 | C# | cs/dereferenced-value-is-always-null | Dereferenced variable is always null |
CWE‑476 | C# | cs/dereferenced-value-may-be-null | Dereferenced variable may be null |
CWE‑476 | Java | java/dereferenced-value-is-always-null | Dereferenced variable is always null |
CWE‑476 | Java | java/dereferenced-expr-may-be-null | Dereferenced expression may be null |
CWE‑476 | Java | java/dereferenced-value-may-be-null | Dereferenced variable may be null |
CWE‑476 | JavaScript | js/call-to-non-callable | Invocation of non-function |
CWE‑476 | JavaScript | js/property-access-on-non-object | Property access on null or undefined |
CWE‑477 | C# | cs/call-to-obsolete-method | Call to obsolete method |
CWE‑477 | Java | java/deprecated-call | Deprecated method or constructor invocation |
CWE‑477 | Python | py/import-deprecated-module | Import of deprecated module |
CWE‑478 | C++ | cpp/missing-case-in-switch | Missing enum case in switch |
CWE‑478 | C++ | cpp/operator-find-incorrectly-used-switch | Incorrect switch statement |
CWE‑478 | Java | java/missing-default-in-switch | Missing default case in switch |
CWE‑478 | Java | java/missing-case-in-switch | Missing enum case in switch |
CWE‑480 | C++ | cpp/assign-where-compare-meant | Assignment where comparison was intended |
CWE‑480 | C++ | cpp/compare-where-assign-meant | Comparison where assignment was intended |
CWE‑480 | C++ | cpp/incorrect-not-operator-usage | Incorrect 'not' operator usage |
CWE‑480 | C++ | cpp/logical-operator-applied-to-flag | Short-circuiting operator applied to flag |
CWE‑480 | C++ | cpp/operator-precedence-logic-error-when-use-bitwise-logical-operations | Operator Precedence Logic Error When Use Bitwise Or Logical Operations |
CWE‑480 | C++ | cpp/operator-precedence-logic-error-when-use-bool-type | Operator Precedence Logic Error When Use Bool Type |
CWE‑480 | C# | cs/non-short-circuit | Potentially dangerous use of non-short-circuit logic |
CWE‑480 | Go | go/useless-expression | Expression has no effect |
CWE‑480 | Go | go/redundant-operation | Identical operands |
CWE‑480 | Go | go/redundant-assignment | Self assignment |
CWE‑480 | Java | java/assignment-in-boolean-expression | Assignment in Boolean expression |
CWE‑480 | Java | java/reference-equality-on-strings | Reference equality test on strings |
CWE‑480 | JavaScript | js/useless-expression | Expression has no effect |
CWE‑480 | JavaScript | js/redundant-operation | Identical operands |
CWE‑480 | JavaScript | js/redundant-assignment | Self assignment |
CWE‑480 | JavaScript | js/deletion-of-non-property | Deleting non-property |
CWE‑481 | C++ | cpp/assign-where-compare-meant | Assignment where comparison was intended |
CWE‑481 | Java | java/assignment-in-boolean-expression | Assignment in Boolean expression |
CWE‑482 | C++ | cpp/compare-where-assign-meant | Comparison where assignment was intended |
CWE‑483 | JavaScript | js/misleading-indentation-of-dangling-else | Misleading indentation of dangling 'else' |
CWE‑483 | JavaScript | js/misleading-indentation-after-control-statement | Misleading indentation after control statement |
CWE‑484 | Java | java/switch-fall-through | Unterminated switch case |
CWE‑485 | C# | cs/class-name-comparison | Erroneous class compare |
CWE‑485 | C# | cs/cast-from-abstract-to-concrete-collection | Cast from abstract to concrete collection |
CWE‑485 | C# | cs/expose-implementation | Exposing internal representation |
CWE‑485 | C# | cs/web/debug-code | ASP.NET: leftover debug code |
CWE‑485 | Java | java/missing-call-to-super-clone | Missing super clone |
CWE‑485 | Java | java/cleartext-storage-in-class | Cleartext storage of sensitive information using storable class |
CWE‑485 | Java | java/android/debuggable-attribute-enabled | Android debuggable attribute enabled |
CWE‑485 | Java | java/android/webview-debugging-enabled | Android Webview debugging enabled |
CWE‑485 | Java | java/trust-boundary-violation | Trust boundary violation |
CWE‑485 | Java | java/android/unsafe-android-webview-fetch | Unsafe resource fetching in Android WebView |
CWE‑485 | Java | java/abstract-to-concrete-cast | Cast from abstract to concrete collection |
CWE‑485 | Java | java/internal-representation-exposure | Exposing internal representation |
CWE‑485 | Java | java/main-method-in-enterprise-bean | Main Method in Enterprise Java Bean |
CWE‑485 | Java | java/main-method-in-web-components | Main Method in Java EE Web Components |
CWE‑485 | Java | java/struts-development-mode | Apache Struts development mode enabled |
CWE‑485 | JavaScript | js/alert-call | Invocation of alert |
CWE‑485 | JavaScript | js/debugger-statement | Use of debugger statement |
CWE‑485 | JavaScript | js/exposure-of-private-files | Exposure of private files |
CWE‑485 | Python | py/flask-debug | Flask app is run in debug mode |
CWE‑485 | Swift | swift/unsafe-webview-fetch | Unsafe WebView fetch |
CWE‑485 | Swift | swift/unsafe-js-eval | JavaScript Injection |
CWE‑486 | C# | cs/class-name-comparison | Erroneous class compare |
CWE‑489 | C# | cs/web/debug-code | ASP.NET: leftover debug code |
CWE‑489 | Java | java/android/debuggable-attribute-enabled | Android debuggable attribute enabled |
CWE‑489 | Java | java/android/webview-debugging-enabled | Android Webview debugging enabled |
CWE‑489 | Java | java/main-method-in-enterprise-bean | Main Method in Enterprise Java Bean |
CWE‑489 | Java | java/main-method-in-web-components | Main Method in Java EE Web Components |
CWE‑489 | Java | java/struts-development-mode | Apache Struts development mode enabled |
CWE‑489 | JavaScript | js/alert-call | Invocation of alert |
CWE‑489 | JavaScript | js/debugger-statement | Use of debugger statement |
CWE‑489 | Python | py/flask-debug | Flask app is run in debug mode |
CWE‑494 | Java | java/maven/non-https-url | Failure to use HTTPS or SFTP URL in Maven artifact upload/download |
CWE‑494 | JavaScript | js/enabling-electron-insecure-content | Enabling Electron allowRunningInsecureContent |
CWE‑494 | JavaScript | js/insecure-dependency | Dependency download using unencrypted communication channel |
CWE‑494 | Ruby | rb/insecure-dependency | Dependency download using unencrypted communication channel |
CWE‑497 | C++ | cpp/system-data-exposure | Exposure of system data to an unauthorized control sphere |
CWE‑497 | C++ | cpp/potential-system-data-exposure | Potential exposure of sensitive system data to an unauthorized control sphere |
CWE‑497 | C# | cs/information-exposure-through-exception | Information exposure through an exception |
CWE‑497 | Go | go/stack-trace-exposure | Information exposure through a stack trace |
CWE‑497 | Java | java/stack-trace-exposure | Information exposure through a stack trace |
CWE‑497 | JavaScript | js/stack-trace-exposure | Information exposure through a stack trace |
CWE‑497 | Python | py/stack-trace-exposure | Information exposure through an exception |
CWE‑497 | Ruby | rb/stack-trace-exposure | Information exposure through an exception |
CWE‑499 | Java | java/cleartext-storage-in-class | Cleartext storage of sensitive information using storable class |
CWE‑501 | Java | java/trust-boundary-violation | Trust boundary violation |
CWE‑502 | C# | cs/deserialized-delegate | Deserialized delegate |
CWE‑502 | C# | cs/unsafe-deserialization | Unsafe deserializer |
CWE‑502 | C# | cs/unsafe-deserialization-untrusted-input | Deserialization of untrusted data |
CWE‑502 | Java | java/unsafe-deserialization | Deserialization of user-controlled data |
CWE‑502 | Java | java/log4j-injection | Potential Log4J LDAP JNDI injection (CVE-2021-44228) |
CWE‑502 | Java | java/unsafe-deserialization-rmi | Unsafe deserialization in a remotely callable method. |
CWE‑502 | Java | java/unsafe-deserialization-spring-exporter-in-configuration-class | Unsafe deserialization with Spring's remote service exporters. |
CWE‑502 | Java | java/unsafe-deserialization-spring-exporter-in-xml-configuration | Unsafe deserialization with Spring's remote service exporters. |
CWE‑502 | JavaScript | js/unsafe-deserialization | Deserialization of user-controlled data |
CWE‑502 | JavaScript | js/unsafe-deserialization-more-sources | Deserialization of user-controlled data with additional heuristic sources |
CWE‑502 | Python | py/unsafe-deserialization | Deserialization of user-controlled data |
CWE‑502 | Ruby | rb/unsafe-deserialization | Deserialization of user-controlled data |
CWE‑506 | JavaScript | js/hardcoded-data-interpreted-as-code | Hard-coded data interpreted as code |
CWE‑506 | Ruby | rb/hardcoded-data-interpreted-as-code | Hard-coded data interpreted as code |
CWE‑521 | C# | cs/empty-password-in-configuration | Empty password in configuration file |
CWE‑521 | JavaScript | js/empty-password-in-configuration-file | Empty password in configuration file |
CWE‑522 | C++ | cpp/cleartext-storage-file | Cleartext storage of sensitive information in file |
CWE‑522 | C# | cs/empty-password-in-configuration | Empty password in configuration file |
CWE‑522 | C# | cs/password-in-configuration | Password in configuration file |
CWE‑522 | Java | java/insecure-basic-auth | Insecure basic authentication |
CWE‑522 | Java | java/insecure-ldap-auth | Insecure LDAP authentication |
CWE‑522 | Java | java/credentials-in-properties | Cleartext Credentials in Properties File |
CWE‑522 | Java | java/password-in-configuration | Password in configuration file |
CWE‑522 | JavaScript | js/password-in-configuration-file | Password in configuration file |
CWE‑522 | JavaScript | js/empty-password-in-configuration-file | Empty password in configuration file |
CWE‑522 | Python | py/insecure-ldap-auth | Python Insecure LDAP Authentication |
CWE‑523 | Python | py/insecure-ldap-auth | Python Insecure LDAP Authentication |
CWE‑524 | Java | java/android/sensitive-keyboard-cache | Android sensitive keyboard cache |
CWE‑532 | C# | cs/web/debug-binary | Creating an ASP.NET debug binary may reveal sensitive information |
CWE‑532 | Java | java/sensitive-log | Insertion of sensitive information into log files |
CWE‑532 | JavaScript | js/clear-text-logging | Clear-text logging of sensitive information |
CWE‑532 | Python | py/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑532 | Ruby | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑532 | Ruby | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑532 | Swift | swift/cleartext-logging | Cleartext logging of sensitive information |
CWE‑538 | C# | cs/web/debug-binary | Creating an ASP.NET debug binary may reveal sensitive information |
CWE‑538 | C# | cs/web/directory-browse-enabled | ASP.NET config file enables directory browsing |
CWE‑538 | C# | cs/web/persistent-cookie | Cookie security: persistent cookie |
CWE‑538 | Java | java/sensitive-log | Insertion of sensitive information into log files |
CWE‑538 | Java | java/server-directory-listing | Directories and files exposure |
CWE‑538 | JavaScript | js/exposure-of-private-files | Exposure of private files |
CWE‑538 | JavaScript | js/clear-text-logging | Clear-text logging of sensitive information |
CWE‑538 | Python | py/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑538 | Ruby | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑538 | Ruby | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑538 | Swift | swift/cleartext-logging | Cleartext logging of sensitive information |
CWE‑539 | C# | cs/web/persistent-cookie | Cookie security: persistent cookie |
CWE‑543 | Java | java/lazy-initialization | Incorrect lazy initialization of a static field |
CWE‑546 | C++ | cpp/fixme-comment | FIXME comment |
CWE‑546 | C++ | cpp/todo-comment | TODO comment |
CWE‑546 | C# | cs/todo-comment | TODO comment |
CWE‑546 | Java | java/todo-comment | TODO/FIXME comments |
CWE‑546 | JavaScript | js/todo-comment | TODO comment |
CWE‑548 | C# | cs/web/directory-browse-enabled | ASP.NET config file enables directory browsing |
CWE‑548 | Java | java/server-directory-listing | Directories and files exposure |
CWE‑548 | JavaScript | js/exposure-of-private-files | Exposure of private files |
CWE‑552 | C# | cs/web/debug-binary | Creating an ASP.NET debug binary may reveal sensitive information |
CWE‑552 | C# | cs/web/directory-browse-enabled | ASP.NET config file enables directory browsing |
CWE‑552 | Java | java/sensitive-log | Insertion of sensitive information into log files |
CWE‑552 | Java | java/server-directory-listing | Directories and files exposure |
CWE‑552 | JavaScript | js/exposure-of-private-files | Exposure of private files |
CWE‑552 | JavaScript | js/clear-text-logging | Clear-text logging of sensitive information |
CWE‑552 | Python | py/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑552 | Ruby | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑552 | Ruby | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑552 | Swift | swift/cleartext-logging | Cleartext logging of sensitive information |
CWE‑555 | Java | java/credentials-in-properties | Cleartext Credentials in Properties File |
CWE‑555 | Java | java/password-in-configuration | Password in configuration file |
CWE‑560 | C++ | cpp/wrong-use-of-the-umask | Find the wrong use of the umask function. |
CWE‑561 | C++ | cpp/unused-static-function | Unused static function |
CWE‑561 | C++ | cpp/dead-code-condition | Branching condition always evaluates to same value |
CWE‑561 | C++ | cpp/dead-code-function | Function is never called |
CWE‑561 | C++ | cpp/dead-code-goto | Dead code due to goto or break statement |
CWE‑561 | C++ | cpp/useless-expression | Expression has no effect |
CWE‑561 | C++ | cpp/incorrect-allocation-error-handling | Incorrect allocation-error handling |
CWE‑561 | C++ | cpp/operator-find-incorrectly-used-switch | Incorrect switch statement |
CWE‑561 | C# | cs/unused-reftype | Dead reference types |
CWE‑561 | C# | cs/unused-field | Unused field |
CWE‑561 | C# | cs/unused-method | Unused method |
CWE‑561 | C# | cs/useless-cast-to-self | Cast to same type |
CWE‑561 | C# | cs/useless-is-before-as | Useless 'is' before 'as' |
CWE‑561 | C# | cs/coalesce-of-identical-expressions | Useless ?? expression |
CWE‑561 | C# | cs/useless-type-test | Useless type test |
CWE‑561 | C# | cs/useless-upcast | Useless upcast |
CWE‑561 | C# | cs/empty-collection | Container contents are never initialized |
CWE‑561 | C# | cs/unused-collection | Container contents are never accessed |
CWE‑561 | C# | cs/linq/useless-select | Redundant Select |
CWE‑561 | Go | go/comparison-of-identical-expressions | Comparison of identical values |
CWE‑561 | Go | go/duplicate-branches | Duplicate 'if' branches |
CWE‑561 | Go | go/duplicate-condition | Duplicate 'if' condition |
CWE‑561 | Go | go/duplicate-switch-case | Duplicate switch case |
CWE‑561 | Go | go/useless-expression | Expression has no effect |
CWE‑561 | Go | go/redundant-operation | Identical operands |
CWE‑561 | Go | go/redundant-assignment | Self assignment |
CWE‑561 | Go | go/unreachable-statement | Unreachable statement |
CWE‑561 | Go | go/pam-auth-bypass | PAM authorization bypass due to incorrect usage |
CWE‑561 | Java | java/dead-class | Dead class |
CWE‑561 | Java | java/dead-enum-constant | Dead enum constant |
CWE‑561 | Java | java/dead-field | Dead field |
CWE‑561 | Java | java/dead-function | Dead method |
CWE‑561 | Java | java/lines-of-dead-code | Lines of dead code in files |
CWE‑561 | Java | java/unused-parameter | Useless parameter |
CWE‑561 | Java | java/useless-null-check | Useless null check |
CWE‑561 | Java | java/useless-type-test | Useless type test |
CWE‑561 | Java | java/useless-upcast | Useless upcast |
CWE‑561 | Java | java/empty-container | Container contents are never initialized |
CWE‑561 | Java | java/unused-container | Container contents are never accessed |
CWE‑561 | Java | java/constant-comparison | Useless comparison test |
CWE‑561 | Java | java/unreachable-catch-clause | Unreachable catch clause |
CWE‑561 | Java | java/unused-reference-type | Unused classes and interfaces |
CWE‑561 | Java | java/useless-assignment-to-local | Useless assignment to local variable |
CWE‑561 | Java | java/local-variable-is-never-read | Unread local variable |
CWE‑561 | Java | java/unused-field | Unused field |
CWE‑561 | Java | java/unused-label | Unused label |
CWE‑561 | Java | java/redundant-cast | Unnecessary cast |
CWE‑561 | Java | java/unused-import | Unnecessary import |
CWE‑561 | JavaScript | js/comparison-of-identical-expressions | Comparison of identical values |
CWE‑561 | JavaScript | js/comparison-with-nan | Comparison with NaN |
CWE‑561 | JavaScript | js/duplicate-condition | Duplicate 'if' condition |
CWE‑561 | JavaScript | js/duplicate-switch-case | Duplicate switch case |
CWE‑561 | JavaScript | js/useless-expression | Expression has no effect |
CWE‑561 | JavaScript | js/comparison-between-incompatible-types | Comparison between inconvertible types |
CWE‑561 | JavaScript | js/redundant-operation | Identical operands |
CWE‑561 | JavaScript | js/redundant-assignment | Self assignment |
CWE‑561 | JavaScript | js/unneeded-defensive-code | Unneeded defensive code |
CWE‑561 | JavaScript | js/useless-type-test | Useless type test |
CWE‑561 | JavaScript | js/regex/unmatchable-caret | Unmatchable caret in regular expression |
CWE‑561 | JavaScript | js/regex/unmatchable-dollar | Unmatchable dollar in regular expression |
CWE‑561 | JavaScript | js/unreachable-statement | Unreachable statement |
CWE‑561 | JavaScript | js/trivial-conditional | Useless conditional |
CWE‑561 | Python | py/unreachable-except | Unreachable 'except' block |
CWE‑561 | Python | py/comparison-of-constants | Comparison of constants |
CWE‑561 | Python | py/comparison-of-identical-expressions | Comparison of identical values |
CWE‑561 | Python | py/comparison-missing-self | Maybe missing 'self' in comparison |
CWE‑561 | Python | py/redundant-comparison | Redundant comparison |
CWE‑561 | Python | py/duplicate-key-dict-literal | Duplicate key in dict literal |
CWE‑561 | Python | py/constant-conditional-expression | Constant in conditional expression or statement |
CWE‑561 | Python | py/ineffectual-statement | Statement has no effect |
CWE‑561 | Python | py/unreachable-statement | Unreachable code |
CWE‑563 | C++ | cpp/unused-local-variable | Unused local variable |
CWE‑563 | C++ | cpp/unused-static-variable | Unused static variable |
CWE‑563 | C++ | cpp/unused-variable | Variable is assigned a value that is never read |
CWE‑563 | C# | cs/useless-assignment-to-local | Useless assignment to local variable |
CWE‑563 | Go | go/useless-assignment-to-field | Useless assignment to field |
CWE‑563 | Go | go/useless-assignment-to-local | Useless assignment to local variable |
CWE‑563 | Java | java/overwritten-assignment-to-local | Assigned value is overwritten |
CWE‑563 | Java | java/unused-initialized-local | Local variable is initialized but not used |
CWE‑563 | Java | java/unused-local-variable | Unused local variable |
CWE‑563 | JavaScript | js/variable-initialization-conflict | Conflicting variable initialization |
CWE‑563 | JavaScript | js/function-declaration-conflict | Conflicting function declarations |
CWE‑563 | JavaScript | js/useless-assignment-to-global | Useless assignment to global variable |
CWE‑563 | JavaScript | js/useless-assignment-to-local | Useless assignment to local variable |
CWE‑563 | JavaScript | js/overwritten-property | Overwritten property |
CWE‑563 | JavaScript | js/duplicate-property | Duplicate property |
CWE‑563 | JavaScript | js/node/assignment-to-exports-variable | Assignment to exports variable |
CWE‑563 | JavaScript | js/useless-assignment-in-return | Return statement assigns local variable |
CWE‑563 | Python | py/redundant-assignment | Redundant assignment |
CWE‑563 | Python | py/multiple-definition | Variable defined multiple times |
CWE‑563 | Python | py/unused-local-variable | Unused local variable |
CWE‑563 | Python | py/unused-global-variable | Unused global variable |
CWE‑563 | Ruby | rb/useless-assignment-to-local | Useless assignment to local variable |
CWE‑563 | Ruby | rb/unused-parameter | Unused parameter. |
CWE‑564 | Java | java/concatenated-sql-query | Query built by concatenation with a possibly-untrusted string |
CWE‑564 | Java | java/sql-injection | Query built from user-controlled sources |
CWE‑564 | Java | java/sql-injection-local | Query built from local-user-controlled sources |
CWE‑567 | C# | cs/unsynchronized-static-access | Unsynchronized access to static collection member in non-static context |
CWE‑568 | Java | java/missing-super-finalize | Finalizer inconsistency |
CWE‑568 | Java | java/empty-finalizer | Empty body of finalizer |
CWE‑570 | C++ | cpp/incorrect-allocation-error-handling | Incorrect allocation-error handling |
CWE‑570 | Go | go/comparison-of-identical-expressions | Comparison of identical values |
CWE‑570 | Java | java/constant-comparison | Useless comparison test |
CWE‑570 | JavaScript | js/comparison-of-identical-expressions | Comparison of identical values |
CWE‑570 | JavaScript | js/comparison-with-nan | Comparison with NaN |
CWE‑570 | JavaScript | js/comparison-between-incompatible-types | Comparison between inconvertible types |
CWE‑570 | JavaScript | js/unneeded-defensive-code | Unneeded defensive code |
CWE‑570 | JavaScript | js/useless-type-test | Useless type test |
CWE‑570 | JavaScript | js/trivial-conditional | Useless conditional |
CWE‑570 | Python | py/comparison-of-constants | Comparison of constants |
CWE‑570 | Python | py/comparison-of-identical-expressions | Comparison of identical values |
CWE‑570 | Python | py/comparison-missing-self | Maybe missing 'self' in comparison |
CWE‑570 | Python | py/redundant-comparison | Redundant comparison |
CWE‑570 | Python | py/constant-conditional-expression | Constant in conditional expression or statement |
CWE‑571 | Go | go/comparison-of-identical-expressions | Comparison of identical values |
CWE‑571 | Java | java/constant-comparison | Useless comparison test |
CWE‑571 | JavaScript | js/comparison-of-identical-expressions | Comparison of identical values |
CWE‑571 | JavaScript | js/comparison-with-nan | Comparison with NaN |
CWE‑571 | JavaScript | js/comparison-between-incompatible-types | Comparison between inconvertible types |
CWE‑571 | JavaScript | js/unneeded-defensive-code | Unneeded defensive code |
CWE‑571 | JavaScript | js/useless-type-test | Useless type test |
CWE‑571 | JavaScript | js/trivial-conditional | Useless conditional |
CWE‑571 | Python | py/comparison-of-constants | Comparison of constants |
CWE‑571 | Python | py/comparison-of-identical-expressions | Comparison of identical values |
CWE‑571 | Python | py/comparison-missing-self | Maybe missing 'self' in comparison |
CWE‑571 | Python | py/redundant-comparison | Redundant comparison |
CWE‑571 | Python | py/constant-conditional-expression | Constant in conditional expression or statement |
CWE‑572 | Java | java/call-to-thread-run | Direct call to a run() method |
CWE‑573 | C++ | cpp/double-free | Potential double free |
CWE‑573 | C++ | cpp/missing-check-scanf | Missing return-value check for a 'scanf'-like function |
CWE‑573 | C++ | cpp/overflowing-snprintf | Potentially overflowing call to snprintf |
CWE‑573 | C++ | cpp/wrong-number-format-arguments | Too few arguments to formatting function |
CWE‑573 | C++ | cpp/wrong-type-format-argument | Wrong type of arguments to formatting function |
CWE‑573 | C++ | cpp/too-few-arguments | Call to function with fewer arguments than declared parameters |
CWE‑573 | C++ | cpp/ignore-return-value-sal | SAL requires inspecting return value |
CWE‑573 | C++ | cpp/hresult-boolean-conversion | Cast between HRESULT and a Boolean type |
CWE‑573 | C++ | cpp/lock-order-cycle | Cyclic lock order dependency |
CWE‑573 | C++ | cpp/twice-locked | Mutex locked twice |
CWE‑573 | C++ | cpp/unreleased-lock | Lock may not be released |
CWE‑573 | C++ | cpp/work-with-changing-working-directories | Find work with changing working directories, with security errors. |
CWE‑573 | C++ | cpp/wrong-use-of-the-umask | Find the wrong use of the umask function. |
CWE‑573 | C++ | cpp/experimental-double-free | Errors When Double Free |
CWE‑573 | C++ | cpp/dangerous-use-of-exception-blocks | Dangerous use of exception blocks. |
CWE‑573 | C++ | cpp/double-release | Errors When Double Release |
CWE‑573 | C# | cs/inconsistent-equals-and-gethashcode | Inconsistent Equals(object) and GetHashCode() |
CWE‑573 | C# | cs/invalid-dynamic-call | Bad dynamic call |
CWE‑573 | Java | java/ejb/container-interference | EJB interferes with container operation |
CWE‑573 | Java | java/ejb/file-io | EJB uses file input/output |
CWE‑573 | Java | java/ejb/graphics | EJB uses graphics |
CWE‑573 | Java | java/ejb/native-code | EJB uses native code |
CWE‑573 | Java | java/ejb/reflection | EJB uses reflection |
CWE‑573 | Java | java/ejb/security-configuration-access | EJB accesses security configuration |
CWE‑573 | Java | java/ejb/substitution-in-serialization | EJB uses substitution in serialization |
CWE‑573 | Java | java/ejb/socket-or-stream-handler-factory | EJB sets socket factory or URL stream handler factory |
CWE‑573 | Java | java/ejb/server-socket | EJB uses server socket |
CWE‑573 | Java | java/ejb/non-final-static-field | EJB uses non-final static field |
CWE‑573 | Java | java/ejb/synchronization | EJB uses synchronization |
CWE‑573 | Java | java/ejb/this | EJB uses 'this' as argument or result |
CWE‑573 | Java | java/ejb/threads | EJB uses threads |
CWE‑573 | Java | java/missing-call-to-super-clone | Missing super clone |
CWE‑573 | Java | java/inconsistent-equals-and-hashcode | Inconsistent equals and hashCode |
CWE‑573 | Java | java/unreleased-lock | Unreleased lock |
CWE‑573 | Java | java/missing-super-finalize | Finalizer inconsistency |
CWE‑573 | Java | java/missing-format-argument | Missing format argument |
CWE‑573 | Java | java/unused-format-argument | Unused format argument |
CWE‑573 | Java | java/static-initialization-vector | Using a static initialization vector for encryption |
CWE‑573 | Java | java/empty-finalizer | Empty body of finalizer |
CWE‑573 | JavaScript | js/superfluous-trailing-arguments | Superfluous trailing arguments |
CWE‑573 | Python | py/equals-hash-mismatch | Inconsistent equality and hashing |
CWE‑573 | Python | py/call/wrong-named-class-argument | Wrong name for an argument in a class instantiation |
CWE‑573 | Python | py/call/wrong-number-class-arguments | Wrong number of arguments in a class instantiation |
CWE‑573 | Python | py/super-not-enclosing-class | First argument to super() is not enclosing class |
CWE‑573 | Python | py/call/wrong-named-argument | Wrong name for an argument in a call |
CWE‑573 | Python | py/percent-format/wrong-arguments | Wrong number of arguments for format |
CWE‑573 | Python | py/call/wrong-arguments | Wrong number of arguments in a call |
CWE‑573 | Swift | swift/static-initialization-vector | Static initialization vector for encryption |
CWE‑574 | Java | java/ejb/synchronization | EJB uses synchronization |
CWE‑575 | Java | java/ejb/graphics | EJB uses graphics |
CWE‑576 | Java | java/ejb/file-io | EJB uses file input/output |
CWE‑577 | Java | java/ejb/socket-or-stream-handler-factory | EJB sets socket factory or URL stream handler factory |
CWE‑577 | Java | java/ejb/server-socket | EJB uses server socket |
CWE‑578 | Java | java/ejb/container-interference | EJB interferes with container operation |
CWE‑580 | Java | java/missing-call-to-super-clone | Missing super clone |
CWE‑581 | C# | cs/inconsistent-equals-and-gethashcode | Inconsistent Equals(object) and GetHashCode() |
CWE‑581 | Java | java/inconsistent-equals-and-hashcode | Inconsistent equals and hashCode |
CWE‑581 | Python | py/equals-hash-mismatch | Inconsistent equality and hashing |
CWE‑582 | C# | cs/static-array | Array constant vulnerable to change |
CWE‑582 | Java | java/static-array | Array constant vulnerable to change |
CWE‑584 | Java | java/abnormal-finally-completion | Finally block may not complete normally |
CWE‑584 | JavaScript | js/exit-from-finally | Jump from finally |
CWE‑584 | Python | py/exit-from-finally | 'break' or 'return' statement in finally |
CWE‑585 | C# | cs/empty-lock-statement | Empty lock statement |
CWE‑585 | Java | java/empty-synchronized-block | Empty synchronized block |
CWE‑592 | C++ | cpp/user-controlled-bypass | Authentication bypass by spoofing |
CWE‑592 | C# | cs/user-controlled-bypass | User-controlled bypass of sensitive method |
CWE‑592 | Go | go/sensitive-condition-bypass | User-controlled bypassing of sensitive action |
CWE‑592 | Java | java/user-controlled-bypass | User-controlled bypass of sensitive method |
CWE‑592 | Java | java/tainted-permissions-check | User-controlled data used in permissions check |
CWE‑592 | JavaScript | js/user-controlled-bypass | User-controlled bypass of security check |
CWE‑592 | JavaScript | js/different-kinds-comparison-bypass | Comparison of user-controlled data of different kinds |
CWE‑592 | JavaScript | js/user-controlled-bypass-more-sources | User-controlled bypass of security check with additional heuristic sources |
CWE‑592 | Ruby | rb/user-controlled-bypass | User-controlled bypass of security check |
CWE‑595 | C# | cs/reference-equality-with-object | Reference equality test on System.Object |
CWE‑595 | C# | cs/reference-equality-on-valuetypes | Call to ReferenceEquals(...) on value type expressions |
CWE‑595 | Java | java/reference-equality-with-object | Reference equality test on java.lang.Object |
CWE‑595 | Java | java/reference-equality-of-boxed-types | Reference equality test of boxed types |
CWE‑595 | Java | java/reference-equality-on-strings | Reference equality test on strings |
CWE‑597 | Java | java/reference-equality-on-strings | Reference equality test on strings |
CWE‑598 | Java | java/sensitive-query-with-get | Sensitive GET Query |
CWE‑598 | JavaScript | js/sensitive-get-query | Sensitive data read from GET request |
CWE‑598 | Ruby | rb/sensitive-get-query | Sensitive data read from GET request |
CWE‑600 | Java | java/uncaught-servlet-exception | Uncaught Servlet Exception |
CWE‑601 | C# | cs/web/unvalidated-url-redirection | URL redirection from remote source |
CWE‑601 | Go | go/bad-redirect-check | Bad redirect check |
CWE‑601 | Go | go/unvalidated-url-redirection | Open URL redirect |
CWE‑601 | Java | java/unvalidated-url-redirection | URL redirection from remote source |
CWE‑601 | Java | java/unvalidated-url-redirection-local | URL redirection from local source |
CWE‑601 | Java | java/spring-unvalidated-url-redirection | Spring url redirection from remote source |
CWE‑601 | JavaScript | js/client-side-unvalidated-url-redirection | Client-side URL redirect |
CWE‑601 | JavaScript | js/server-side-unvalidated-url-redirection | Server-side URL redirect |
CWE‑601 | Python | py/url-redirection | URL redirection from remote source |
CWE‑601 | Ruby | rb/url-redirection | URL redirection from remote source |
CWE‑609 | C# | cs/unsafe-double-checked-lock | Double-checked lock is not thread-safe |
CWE‑609 | Java | java/unsafe-double-checked-locking | Double-checked locking is not thread-safe |
CWE‑609 | Java | java/unsafe-double-checked-locking-init-order | Race condition in double-checked locking object initialization |
CWE‑609 | Java | java/lazy-initialization | Incorrect lazy initialization of a static field |
CWE‑610 | C++ | cpp/path-injection | Uncontrolled data used in path expression |
CWE‑610 | C++ | cpp/external-entity-expansion | XML external entity expansion |
CWE‑610 | C# | cs/path-injection | Uncontrolled data used in path expression |
CWE‑610 | C# | cs/web/unvalidated-url-redirection | URL redirection from remote source |
CWE‑610 | C# | cs/xml/insecure-dtd-handling | Untrusted XML is read insecurely |
CWE‑610 | C# | cs/insecure-xml-read | XML is read insecurely |
CWE‑610 | C# | cs/webclient-path-injection | Uncontrolled data used in a WebClient |
CWE‑610 | C# | cs/request-forgery | Server-side request forgery |
CWE‑610 | Go | go/path-injection | Uncontrolled data used in path expression |
CWE‑610 | Go | go/bad-redirect-check | Bad redirect check |
CWE‑610 | Go | go/unvalidated-url-redirection | Open URL redirect |
CWE‑610 | Go | go/request-forgery | Uncontrolled data used in network request |
CWE‑610 | Go | go/ssrf | Uncontrolled data used in network request |
CWE‑610 | Java | java/path-injection | Uncontrolled data used in path expression |
CWE‑610 | Java | java/path-injection-local | Local-user-controlled data in path expression |
CWE‑610 | Java | java/android/unsafe-content-uri-resolution | Uncontrolled data used in content resolution |
CWE‑610 | Java | java/android/fragment-injection | Android fragment injection |
CWE‑610 | Java | java/android/fragment-injection-preference-activity | Android fragment injection in PreferenceActivity |
CWE‑610 | Java | java/unvalidated-url-redirection | URL redirection from remote source |
CWE‑610 | Java | java/unvalidated-url-redirection-local | URL redirection from local source |
CWE‑610 | Java | java/xxe | Resolving XML external entity in user-controlled data |
CWE‑610 | Java | java/xxe-local | Resolving XML external entity in user-controlled data from local source |
CWE‑610 | Java | java/ssrf | Server-side request forgery |
CWE‑610 | Java | java/unsafe-reflection | Use of externally-controlled input to select classes or code ('unsafe reflection') |
CWE‑610 | Java | java/spring-unvalidated-url-redirection | Spring url redirection from remote source |
CWE‑610 | JavaScript | js/path-injection | Uncontrolled data used in path expression |
CWE‑610 | JavaScript | js/template-object-injection | Template Object Injection |
CWE‑610 | JavaScript | js/client-side-unvalidated-url-redirection | Client-side URL redirect |
CWE‑610 | JavaScript | js/server-side-unvalidated-url-redirection | Server-side URL redirect |
CWE‑610 | JavaScript | js/xxe | XML external entity expansion |
CWE‑610 | JavaScript | js/client-side-request-forgery | Client-side request forgery |
CWE‑610 | JavaScript | js/request-forgery | Server-side request forgery |
CWE‑610 | JavaScript | javascript/ssrf | Uncontrolled data used in network request |
CWE‑610 | JavaScript | js/xxe-more-sources | XML external entity expansion with additional heuristic sources |
CWE‑610 | Python | py/path-injection | Uncontrolled data used in path expression |
CWE‑610 | Python | py/shell-command-constructed-from-input | Unsafe shell command constructed from library input |
CWE‑610 | Python | py/url-redirection | URL redirection from remote source |
CWE‑610 | Python | py/xxe | XML external entity expansion |
CWE‑610 | Python | py/full-ssrf | Full server-side request forgery |
CWE‑610 | Python | py/partial-ssrf | Partial server-side request forgery |
CWE‑610 | Ruby | rb/path-injection | Uncontrolled data used in path expression |
CWE‑610 | Ruby | rb/kernel-open | Use of Kernel.open , IO.read or similar sinks with user-controlled input |
CWE‑610 | Ruby | rb/non-constant-kernel-open | Use of Kernel.open or IO.read or similar sinks with a non-constant value |
CWE‑610 | Ruby | rb/shell-command-constructed-from-input | Unsafe shell command constructed from library input |
CWE‑610 | Ruby | rb/url-redirection | URL redirection from remote source |
CWE‑610 | Ruby | rb/xxe | XML external entity expansion |
CWE‑610 | Ruby | rb/request-forgery | Server-side request forgery |
CWE‑610 | Swift | swift/path-injection | Uncontrolled data used in path expression |
CWE‑610 | Swift | swift/xxe | Resolving XML external entity in user-controlled data |
CWE‑611 | C++ | cpp/external-entity-expansion | XML external entity expansion |
CWE‑611 | C# | cs/xml/insecure-dtd-handling | Untrusted XML is read insecurely |
CWE‑611 | C# | cs/insecure-xml-read | XML is read insecurely |
CWE‑611 | Java | java/xxe | Resolving XML external entity in user-controlled data |
CWE‑611 | Java | java/xxe-local | Resolving XML external entity in user-controlled data from local source |
CWE‑611 | JavaScript | js/xxe | XML external entity expansion |
CWE‑611 | JavaScript | js/xxe-more-sources | XML external entity expansion with additional heuristic sources |
CWE‑611 | Python | py/xxe | XML external entity expansion |
CWE‑611 | Ruby | rb/xxe | XML external entity expansion |
CWE‑611 | Swift | swift/xxe | Resolving XML external entity in user-controlled data |
CWE‑614 | C# | cs/web/requiressl-not-set | 'requireSSL' attribute is not set to true |
CWE‑614 | C# | cs/web/cookie-secure-not-set | 'Secure' attribute is not set to true |
CWE‑614 | Java | java/insecure-cookie | Failure to use secure cookies |
CWE‑614 | JavaScript | js/clear-text-cookie | Clear text transmission of sensitive cookie |
CWE‑614 | Python | py/cookie-injection | Construction of a cookie using user-supplied input. |
CWE‑614 | Python | py/insecure-cookie | Failure to use secure cookies |
CWE‑625 | JavaScript | js/angular/insecure-url-whitelist | Insecure URL whitelist |
CWE‑628 | C++ | cpp/wrong-number-format-arguments | Too few arguments to formatting function |
CWE‑628 | C++ | cpp/wrong-type-format-argument | Wrong type of arguments to formatting function |
CWE‑628 | C++ | cpp/too-few-arguments | Call to function with fewer arguments than declared parameters |
CWE‑628 | C++ | cpp/wrong-use-of-the-umask | Find the wrong use of the umask function. |
CWE‑628 | C# | cs/invalid-dynamic-call | Bad dynamic call |
CWE‑628 | Java | java/missing-format-argument | Missing format argument |
CWE‑628 | Java | java/unused-format-argument | Unused format argument |
CWE‑628 | JavaScript | js/superfluous-trailing-arguments | Superfluous trailing arguments |
CWE‑628 | Python | py/call/wrong-named-class-argument | Wrong name for an argument in a class instantiation |
CWE‑628 | Python | py/call/wrong-number-class-arguments | Wrong number of arguments in a class instantiation |
CWE‑628 | Python | py/super-not-enclosing-class | First argument to super() is not enclosing class |
CWE‑628 | Python | py/call/wrong-named-argument | Wrong name for an argument in a call |
CWE‑628 | Python | py/percent-format/wrong-arguments | Wrong number of arguments for format |
CWE‑628 | Python | py/call/wrong-arguments | Wrong number of arguments in a call |
CWE‑639 | JavaScript | js/cors-misconfiguration-for-credentials | CORS misconfiguration for credentials transfer |
CWE‑639 | JavaScript | js/cors-misconfiguration-for-credentials-more-sources | CORS misconfiguration for credentials transfer with additional heuristic sources |
CWE‑640 | Go | go/email-injection | Email content injection |
CWE‑640 | JavaScript | js/host-header-forgery-in-email-generation | Host header poisoning in email generation |
CWE‑642 | C++ | cpp/path-injection | Uncontrolled data used in path expression |
CWE‑642 | C# | cs/web/html-hidden-input | Use of HTMLInputHidden |
CWE‑642 | C# | cs/path-injection | Uncontrolled data used in path expression |
CWE‑642 | C# | cs/webclient-path-injection | Uncontrolled data used in a WebClient |
CWE‑642 | Go | go/path-injection | Uncontrolled data used in path expression |
CWE‑642 | Java | java/path-injection | Uncontrolled data used in path expression |
CWE‑642 | Java | java/path-injection-local | Local-user-controlled data in path expression |
CWE‑642 | JavaScript | js/path-injection | Uncontrolled data used in path expression |
CWE‑642 | JavaScript | js/template-object-injection | Template Object Injection |
CWE‑642 | Python | py/path-injection | Uncontrolled data used in path expression |
CWE‑642 | Python | py/shell-command-constructed-from-input | Unsafe shell command constructed from library input |
CWE‑642 | Ruby | rb/path-injection | Uncontrolled data used in path expression |
CWE‑642 | Ruby | rb/kernel-open | Use of Kernel.open , IO.read or similar sinks with user-controlled input |
CWE‑642 | Ruby | rb/non-constant-kernel-open | Use of Kernel.open or IO.read or similar sinks with a non-constant value |
CWE‑642 | Ruby | rb/shell-command-constructed-from-input | Unsafe shell command constructed from library input |
CWE‑642 | Swift | swift/path-injection | Uncontrolled data used in path expression |
CWE‑643 | C# | cs/xml/stored-xpath-injection | Stored XPath injection |
CWE‑643 | C# | cs/xml/xpath-injection | XPath injection |
CWE‑643 | Go | go/xml/xpath-injection | XPath injection |
CWE‑643 | Java | java/xml/xpath-injection | XPath injection |
CWE‑643 | JavaScript | js/xpath-injection | XPath injection |
CWE‑643 | JavaScript | js/xpath-injection-more-sources | XPath injection with additional heuristic sources |
CWE‑643 | Python | py/xpath-injection | XPath query built from user-controlled sources |
CWE‑643 | Python | py/xslt-injection | XSLT query built from user-controlled sources |
CWE‑643 | Ruby | rb/xpath-injection | XPath query built from user-controlled sources |
CWE‑652 | Java | java/xquery-injection | XQuery query built from user-controlled sources |
CWE‑657 | C# | cs/hard-coded-symmetric-encryption-key | Hard-coded symmetric encryption key |
CWE‑657 | C# | cs/hardcoded-connection-string-credentials | Hard-coded connection string with credentials |
CWE‑657 | C# | cs/hardcoded-credentials | Hard-coded credentials |
CWE‑657 | Go | go/hardcoded-credentials | Hard-coded credentials |
CWE‑657 | Go | go/hardcoded-key | Use of a hardcoded key for signing JWT |
CWE‑657 | Java | java/hardcoded-credential-api-call | Hard-coded credential in API call |
CWE‑657 | Java | java/hardcoded-credential-comparison | Hard-coded credential comparison |
CWE‑657 | Java | java/hardcoded-credential-sensitive-call | Hard-coded credential in sensitive call |
CWE‑657 | Java | java/hardcoded-password-field | Hard-coded password field |
CWE‑657 | JavaScript | js/remote-property-injection | Remote property injection |
CWE‑657 | JavaScript | js/hardcoded-credentials | Hard-coded credentials |
CWE‑657 | JavaScript | js/remote-property-injection-more-sources | Remote property injection with additional heuristic sources |
CWE‑657 | Python | py/hardcoded-credentials | Hard-coded credentials |
CWE‑657 | Ruby | rb/hardcoded-credentials | Hard-coded credentials |
CWE‑657 | Swift | swift/constant-password | Constant password |
CWE‑657 | Swift | swift/hardcoded-key | Hard-coded encryption key |
CWE‑662 | C++ | cpp/lock-order-cycle | Cyclic lock order dependency |
CWE‑662 | C++ | cpp/twice-locked | Mutex locked twice |
CWE‑662 | C++ | cpp/unreleased-lock | Lock may not be released |
CWE‑662 | C# | cs/unsafe-sync-on-field | Futile synchronization on field |
CWE‑662 | C# | cs/inconsistent-lock-sequence | Inconsistent lock sequence |
CWE‑662 | C# | cs/lock-this | Locking the 'this' object in a lock statement |
CWE‑662 | C# | cs/locked-wait | A lock is held during a wait |
CWE‑662 | C# | cs/unsynchronized-getter | Inconsistently synchronized property |
CWE‑662 | C# | cs/unsafe-double-checked-lock | Double-checked lock is not thread-safe |
CWE‑662 | C# | cs/unsynchronized-static-access | Unsynchronized access to static collection member in non-static context |
CWE‑662 | Java | java/ejb/synchronization | EJB uses synchronization |
CWE‑662 | Java | java/wait-on-condition-interface | Wait on condition |
CWE‑662 | Java | java/call-to-thread-run | Direct call to a run() method |
CWE‑662 | Java | java/unsafe-double-checked-locking | Double-checked locking is not thread-safe |
CWE‑662 | Java | java/unsafe-double-checked-locking-init-order | Race condition in double-checked locking object initialization |
CWE‑662 | Java | java/unsafe-sync-on-field | Futile synchronization on field |
CWE‑662 | Java | java/inconsistent-field-synchronization | Inconsistent synchronization for field |
CWE‑662 | Java | java/lazy-initialization | Incorrect lazy initialization of a static field |
CWE‑662 | Java | java/non-sync-override | Non-synchronized override of synchronized method |
CWE‑662 | Java | java/notify-instead-of-notify-all | notify instead of notifyAll |
CWE‑662 | Java | java/sleep-with-lock-held | Sleep with lock held |
CWE‑662 | Java | java/sync-on-boxed-types | Synchronization on boxed types or strings |
CWE‑662 | Java | java/unsynchronized-getter | Inconsistent synchronization of getter and setter |
CWE‑662 | Java | java/inconsistent-sync-writeobject | Inconsistent synchronization for writeObject() |
CWE‑662 | Java | java/unreleased-lock | Unreleased lock |
CWE‑662 | Java | java/wait-with-two-locks | Wait with two locks held |
CWE‑662 | Java | java/lock-order-inconsistency | Lock order inconsistency |
CWE‑664 | C++ | cpp/catch-missing-free | Leaky catch |
CWE‑664 | C++ | cpp/descriptor-may-not-be-closed | Open descriptor may not be closed |
CWE‑664 | C++ | cpp/descriptor-never-closed | Open descriptor never closed |
CWE‑664 | C++ | cpp/double-free | Potential double free |
CWE‑664 | C++ | cpp/file-may-not-be-closed | Open file may not be closed |
CWE‑664 | C++ | cpp/file-never-closed | Open file is not closed |
CWE‑664 | C++ | cpp/global-use-before-init | Global variable may be used before initialization |
CWE‑664 | C++ | cpp/initialization-not-run | Initialization code not run |
CWE‑664 | C++ | cpp/memory-may-not-be-freed | Memory may not be freed |
CWE‑664 | C++ | cpp/memory-never-freed | Memory is never freed |
CWE‑664 | C++ | cpp/new-free-mismatch | Mismatching new/free or malloc/delete |
CWE‑664 | C++ | cpp/not-initialised | Variable not initialized before use |
CWE‑664 | C++ | cpp/use-after-free | Potential use after free |
CWE‑664 | C++ | cpp/bad-addition-overflow-check | Bad check for overflow of integer addition |
CWE‑664 | C++ | cpp/integer-multiplication-cast-to-long | Multiplication result converted to larger type |
CWE‑664 | C++ | cpp/upcast-array-pointer-arithmetic | Upcast array used in pointer arithmetic |
CWE‑664 | C++ | cpp/alloca-in-loop | Call to alloca in a loop |
CWE‑664 | C++ | cpp/improper-null-termination | Potential improper null termination |
CWE‑664 | C++ | cpp/return-stack-allocated-memory | Returning stack-allocated memory |
CWE‑664 | C++ | cpp/uninitialized-local | Potentially uninitialized local variable |
CWE‑664 | C++ | cpp/using-expired-stack-address | Use of expired stack-address |
CWE‑664 | C++ | cpp/self-assignment-check | Self assignment check |
CWE‑664 | C++ | cpp/path-injection | Uncontrolled data used in path expression |
CWE‑664 | C++ | cpp/comparison-with-wider-type | Comparison of narrow type with wide type in loop condition |
CWE‑664 | C++ | cpp/integer-overflow-tainted | Potential integer arithmetic overflow |
CWE‑664 | C++ | cpp/uncontrolled-allocation-size | Overflow in uncontrolled allocation size |
CWE‑664 | C++ | cpp/user-controlled-bypass | Authentication bypass by spoofing |
CWE‑664 | C++ | cpp/cleartext-storage-buffer | Cleartext storage of sensitive information in buffer |
CWE‑664 | C++ | cpp/cleartext-storage-file | Cleartext storage of sensitive information in file |
CWE‑664 | C++ | cpp/cleartext-transmission | Cleartext transmission of sensitive information |
CWE‑664 | C++ | cpp/cleartext-storage-database | Cleartext storage of sensitive information in an SQLite database |
CWE‑664 | C++ | cpp/unsafe-create-process-call | NULL application name with an unquoted path in call to CreateProcess |
CWE‑664 | C++ | cpp/conditionally-uninitialized-variable | Conditionally uninitialized variable |
CWE‑664 | C++ | cpp/system-data-exposure | Exposure of system data to an unauthorized control sphere |
CWE‑664 | C++ | cpp/potential-system-data-exposure | Potential exposure of sensitive system data to an unauthorized control sphere |
CWE‑664 | C++ | cpp/external-entity-expansion | XML external entity expansion |
CWE‑664 | C++ | cpp/incorrect-string-type-conversion | Cast from char to wchar_t |
CWE‑664 | C++ | cpp/world-writable-file-creation | File created without restricting permissions |
CWE‑664 | C++ | cpp/open-call-with-mode-argument | File opened with O_CREAT flag but without mode argument |
CWE‑664 | C++ | cpp/unsafe-dacl-security-descriptor | Setting a DACL to NULL in a SECURITY_DESCRIPTOR |
CWE‑664 | C++ | cpp/lock-order-cycle | Cyclic lock order dependency |
CWE‑664 | C++ | cpp/twice-locked | Mutex locked twice |
CWE‑664 | C++ | cpp/unreleased-lock | Lock may not be released |
CWE‑664 | C++ | cpp/work-with-file-without-permissions-rights | Writing to a file without setting permissions. |
CWE‑664 | C++ | cpp/work-with-changing-working-directories | Find work with changing working directories, with security errors. |
CWE‑664 | C++ | cpp/wrong-use-of-the-umask | Find the wrong use of the umask function. |
CWE‑664 | C++ | cpp/drop-linux-privileges-outoforder | LinuxPrivilegeDroppingOutoforder |
CWE‑664 | C++ | cpp/pam-auth-bypass | PAM Authorization bypass |
CWE‑664 | C++ | cpp/private-cleartext-write | Exposure of private information |
CWE‑664 | C++ | cpp/insecure-generation-of-filename | Insecure generation of filenames. |
CWE‑664 | C++ | cpp/memory-leak-on-failed-call-to-realloc | Memory leak on failed call to realloc |
CWE‑664 | C++ | cpp/experimental-double-free | Errors When Double Free |
CWE‑664 | C++ | cpp/dangerous-use-of-exception-blocks | Dangerous use of exception blocks. |
CWE‑664 | C++ | cpp/double-release | Errors When Double Release |
CWE‑664 | C++ | cpp/improper-check-return-value-scanf | Improper check of return value of scanf |
CWE‑664 | C++ | cpp/resource-not-released-in-destructor | Resource not released in destructor |
CWE‑664 | C# | cs/dispose-not-called-on-throw | Dispose may not be called if an exception is thrown during execution |
CWE‑664 | C# | cs/member-not-disposed | Missing Dispose call |
CWE‑664 | C# | cs/missing-dispose-method | Missing Dispose method |
CWE‑664 | C# | cs/local-not-disposed | Missing Dispose call on local IDisposable |
CWE‑664 | C# | cs/class-name-comparison | Erroneous class compare |
CWE‑664 | C# | cs/cast-from-abstract-to-concrete-collection | Cast from abstract to concrete collection |
CWE‑664 | C# | cs/expose-implementation | Exposing internal representation |
CWE‑664 | C# | cs/static-array | Array constant vulnerable to change |
CWE‑664 | C# | cs/web/debug-code | ASP.NET: leftover debug code |
CWE‑664 | C# | cs/web/html-hidden-input | Use of HTMLInputHidden |
CWE‑664 | C# | cs/unsafe-sync-on-field | Futile synchronization on field |
CWE‑664 | C# | cs/inconsistent-lock-sequence | Inconsistent lock sequence |
CWE‑664 | C# | cs/lock-this | Locking the 'this' object in a lock statement |
CWE‑664 | C# | cs/locked-wait | A lock is held during a wait |
CWE‑664 | C# | cs/unsynchronized-getter | Inconsistently synchronized property |
CWE‑664 | C# | cs/unsafe-double-checked-lock | Double-checked lock is not thread-safe |
CWE‑664 | C# | cs/unsynchronized-static-access | Unsynchronized access to static collection member in non-static context |
CWE‑664 | C# | cs/empty-password-in-configuration | Empty password in configuration file |
CWE‑664 | C# | cs/password-in-configuration | Password in configuration file |
CWE‑664 | C# | cs/unassigned-field | Field is never assigned a non-default value |
CWE‑664 | C# | cs/web/file-upload | Use of file upload |
CWE‑664 | C# | cs/catch-of-all-exceptions | Generic catch clause |
CWE‑664 | C# | cs/loss-of-precision | Possible loss of precision |
CWE‑664 | C# | cs/web/debug-binary | Creating an ASP.NET debug binary may reveal sensitive information |
CWE‑664 | C# | cs/path-injection | Uncontrolled data used in path expression |
CWE‑664 | C# | cs/zipslip | Arbitrary file access during archive extraction ("Zip Slip") |
CWE‑664 | C# | cs/code-injection | Improper control of generation of code |
CWE‑664 | C# | cs/sensitive-data-transmission | Information exposure through transmitted data |
CWE‑664 | C# | cs/information-exposure-through-exception | Information exposure through an exception |
CWE‑664 | C# | cs/web/missing-function-level-access-control | Missing function level access control |
CWE‑664 | C# | cs/cleartext-storage-of-sensitive-information | Clear text storage of sensitive information |
CWE‑664 | C# | cs/hard-coded-symmetric-encryption-key | Hard-coded symmetric encryption key |
CWE‑664 | C# | cs/exposure-of-sensitive-information | Exposure of private information |
CWE‑664 | C# | cs/session-reuse | Failure to abandon session |
CWE‑664 | C# | cs/web/missing-x-frame-options | Missing X-Frame-Options HTTP header |
CWE‑664 | C# | cs/deserialized-delegate | Deserialized delegate |
CWE‑664 | C# | cs/unsafe-deserialization | Unsafe deserializer |
CWE‑664 | C# | cs/unsafe-deserialization-untrusted-input | Deserialization of untrusted data |
CWE‑664 | C# | cs/web/directory-browse-enabled | ASP.NET config file enables directory browsing |
CWE‑664 | C# | cs/web/unvalidated-url-redirection | URL redirection from remote source |
CWE‑664 | C# | cs/xml/insecure-dtd-handling | Untrusted XML is read insecurely |
CWE‑664 | C# | cs/insecure-xml-read | XML is read insecurely |
CWE‑664 | C# | cs/redos | Denial of Service from comparison of user input against expensive regex |
CWE‑664 | C# | cs/regex-injection | Regular expression injection |
CWE‑664 | C# | cs/hardcoded-connection-string-credentials | Hard-coded connection string with credentials |
CWE‑664 | C# | cs/hardcoded-credentials | Hard-coded credentials |
CWE‑664 | C# | cs/user-controlled-bypass | User-controlled bypass of sensitive method |
CWE‑664 | C# | cs/web/broad-cookie-domain | Cookie security: overly broad domain |
CWE‑664 | C# | cs/web/broad-cookie-path | Cookie security: overly broad path |
CWE‑664 | C# | cs/web/persistent-cookie | Cookie security: persistent cookie |
CWE‑664 | C# | cs/webclient-path-injection | Uncontrolled data used in a WebClient |
CWE‑664 | C# | cs/request-forgery | Server-side request forgery |
CWE‑664 | Go | go/shift-out-of-range | Shift out of range |
CWE‑664 | Go | go/path-injection | Uncontrolled data used in path expression |
CWE‑664 | Go | go/unsafe-unzip-symlink | Arbitrary file write extracting an archive containing symbolic links |
CWE‑664 | Go | go/zipslip | Arbitrary file access during archive extraction ("Zip Slip") |
CWE‑664 | Go | go/unsafe-quoting | Potentially unsafe quoting |
CWE‑664 | Go | go/stack-trace-exposure | Information exposure through a stack trace |
CWE‑664 | Go | go/clear-text-logging | Clear-text logging of sensitive information |
CWE‑664 | Go | go/insecure-hostkeycallback | Use of insecure HostKeyCallback implementation |
CWE‑664 | Go | go/bad-redirect-check | Bad redirect check |
CWE‑664 | Go | go/unvalidated-url-redirection | Open URL redirect |
CWE‑664 | Go | go/email-injection | Email content injection |
CWE‑664 | Go | go/incorrect-integer-conversion | Incorrect conversion between integer types |
CWE‑664 | Go | go/hardcoded-credentials | Hard-coded credentials |
CWE‑664 | Go | go/request-forgery | Uncontrolled data used in network request |
CWE‑664 | Go | go/timing-attack | Timing attacks due to comparison of sensitive secrets |
CWE‑664 | Go | go/pam-auth-bypass | PAM authorization bypass due to incorrect usage |
CWE‑664 | Go | go/hardcoded-key | Use of a hardcoded key for signing JWT |
CWE‑664 | Go | go/sensitive-condition-bypass | User-controlled bypassing of sensitive action |
CWE‑664 | Go | go/ssrf | Uncontrolled data used in network request |
CWE‑664 | Go | go/cors-misconfiguration | CORS misconfiguration |
CWE‑664 | Java | java/ejb/synchronization | EJB uses synchronization |
CWE‑664 | Java | java/implicit-cast-in-compound-assignment | Implicit narrowing conversion in compound assignment |
CWE‑664 | Java | java/integer-multiplication-cast-to-long | Result of multiplication cast to wider type |
CWE‑664 | Java | java/missing-call-to-super-clone | Missing super clone |
CWE‑664 | Java | java/wait-on-condition-interface | Wait on condition |
CWE‑664 | Java | java/call-to-thread-run | Direct call to a run() method |
CWE‑664 | Java | java/unsafe-double-checked-locking | Double-checked locking is not thread-safe |
CWE‑664 | Java | java/unsafe-double-checked-locking-init-order | Race condition in double-checked locking object initialization |
CWE‑664 | Java | java/unsafe-sync-on-field | Futile synchronization on field |
CWE‑664 | Java | java/inconsistent-field-synchronization | Inconsistent synchronization for field |
CWE‑664 | Java | java/lazy-initialization | Incorrect lazy initialization of a static field |
CWE‑664 | Java | java/non-sync-override | Non-synchronized override of synchronized method |
CWE‑664 | Java | java/notify-instead-of-notify-all | notify instead of notifyAll |
CWE‑664 | Java | java/sleep-with-lock-held | Sleep with lock held |
CWE‑664 | Java | java/sync-on-boxed-types | Synchronization on boxed types or strings |
CWE‑664 | Java | java/unsynchronized-getter | Inconsistent synchronization of getter and setter |
CWE‑664 | Java | java/inconsistent-sync-writeobject | Inconsistent synchronization for writeObject() |
CWE‑664 | Java | java/unreleased-lock | Unreleased lock |
CWE‑664 | Java | java/wait-with-two-locks | Wait with two locks held |
CWE‑664 | Java | java/missing-super-finalize | Finalizer inconsistency |
CWE‑664 | Java | java/input-resource-leak | Potential input resource leak |
CWE‑664 | Java | java/database-resource-leak | Potential database resource leak |
CWE‑664 | Java | java/output-resource-leak | Potential output resource leak |
CWE‑664 | Java | java/impossible-array-cast | Impossible array cast |
CWE‑664 | Java | java/path-injection | Uncontrolled data used in path expression |
CWE‑664 | Java | java/path-injection-local | Local-user-controlled data in path expression |
CWE‑664 | Java | java/zipslip | Arbitrary file access during archive extraction ("Zip Slip") |
CWE‑664 | Java | java/partial-path-traversal | Partial path traversal vulnerability |
CWE‑664 | Java | java/partial-path-traversal-from-remote | Partial path traversal vulnerability from remote |
CWE‑664 | Java | java/android/arbitrary-apk-installation | Android APK installation |
CWE‑664 | Java | java/groovy-injection | Groovy Language injection |
CWE‑664 | Java | java/insecure-bean-validation | Insecure Bean Validation |
CWE‑664 | Java | java/jexl-expression-injection | Expression language injection (JEXL) |
CWE‑664 | Java | java/mvel-expression-injection | Expression language injection (MVEL) |
CWE‑664 | Java | java/spel-expression-injection | Expression language injection (Spring) |
CWE‑664 | Java | java/server-side-template-injection | Server-side template injection |
CWE‑664 | Java | java/comparison-with-wider-type | Comparison of narrow type with wide type in loop condition |
CWE‑664 | Java | java/android/websettings-allow-content-access | Android WebView settings allows access to content links |
CWE‑664 | Java | java/android/websettings-file-access | Android WebSettings file access |
CWE‑664 | Java | java/local-temp-file-or-directory-information-disclosure | Local information disclosure in a temporary directory |
CWE‑664 | Java | java/stack-trace-exposure | Information exposure through a stack trace |
CWE‑664 | Java | java/android/intent-uri-permission-manipulation | Intent URI permission manipulation |
CWE‑664 | Java | java/unsafe-cert-trust | Unsafe certificate trust |
CWE‑664 | Java | java/insecure-smtp-ssl | Insecure JavaMail SSL Configuration |
CWE‑664 | Java | java/unsafe-hostname-verification | Unsafe hostname verification |
CWE‑664 | Java | java/android/backup-enabled | Application backup allowed |
CWE‑664 | Java | java/android/cleartext-storage-database | Cleartext storage of sensitive information using a local database on Android |
CWE‑664 | Java | java/android/cleartext-storage-filesystem | Cleartext storage of sensitive information in the Android filesystem |
CWE‑664 | Java | java/cleartext-storage-in-class | Cleartext storage of sensitive information using storable class |
CWE‑664 | Java | java/cleartext-storage-in-cookie | Cleartext storage of sensitive information in cookie |
CWE‑664 | Java | java/cleartext-storage-in-properties | Cleartext storage of sensitive information using 'Properties' class |
CWE‑664 | Java | java/android/cleartext-storage-shared-prefs | Cleartext storage of sensitive information using SharedPreferences on Android |
CWE‑664 | Java | java/socket-auth-race-condition | Race condition in socket authentication |
CWE‑664 | Java | java/android/unsafe-content-uri-resolution | Uncontrolled data used in content resolution |
CWE‑664 | Java | java/android/fragment-injection | Android fragment injection |
CWE‑664 | Java | java/android/fragment-injection-preference-activity | Android fragment injection in PreferenceActivity |
CWE‑664 | Java | java/android/debuggable-attribute-enabled | Android debuggable attribute enabled |
CWE‑664 | Java | java/android/webview-debugging-enabled | Android Webview debugging enabled |
CWE‑664 | Java | java/trust-boundary-violation | Trust boundary violation |
CWE‑664 | Java | java/unsafe-deserialization | Deserialization of user-controlled data |
CWE‑664 | Java | java/insecure-basic-auth | Insecure basic authentication |
CWE‑664 | Java | java/insecure-ldap-auth | Insecure LDAP authentication |
CWE‑664 | Java | java/android/sensitive-keyboard-cache | Android sensitive keyboard cache |
CWE‑664 | Java | java/sensitive-log | Insertion of sensitive information into log files |
CWE‑664 | Java | java/unvalidated-url-redirection | URL redirection from remote source |
CWE‑664 | Java | java/unvalidated-url-redirection-local | URL redirection from local source |
CWE‑664 | Java | java/xxe | Resolving XML external entity in user-controlled data |
CWE‑664 | Java | java/xxe-local | Resolving XML external entity in user-controlled data from local source |
CWE‑664 | Java | java/tainted-numeric-cast | User-controlled data in numeric cast |
CWE‑664 | Java | java/tainted-numeric-cast-local | Local-user-controlled data in numeric cast |
CWE‑664 | Java | java/polynomial-redos | Polynomial regular expression used on uncontrolled data |
CWE‑664 | Java | java/redos | Inefficient regular expression |
CWE‑664 | Java | java/regex-injection | Regular expression injection |
CWE‑664 | Java | java/world-writable-file-read | Reading from a world writable file |
CWE‑664 | Java | java/android/unsafe-android-webview-fetch | Unsafe resource fetching in Android WebView |
CWE‑664 | Java | java/hardcoded-credential-api-call | Hard-coded credential in API call |
CWE‑664 | Java | java/hardcoded-credential-comparison | Hard-coded credential comparison |
CWE‑664 | Java | java/hardcoded-credential-sensitive-call | Hard-coded credential in sensitive call |
CWE‑664 | Java | java/hardcoded-password-field | Hard-coded password field |
CWE‑664 | Java | java/user-controlled-bypass | User-controlled bypass of sensitive method |
CWE‑664 | Java | java/tainted-permissions-check | User-controlled data used in permissions check |
CWE‑664 | Java | java/maven/non-https-url | Failure to use HTTPS or SFTP URL in Maven artifact upload/download |
CWE‑664 | Java | java/lock-order-inconsistency | Lock order inconsistency |
CWE‑664 | Java | java/ssrf | Server-side request forgery |
CWE‑664 | Java | java/improper-intent-verification | Improper verification of intent by broadcast receiver |
CWE‑664 | Java | java/android/incomplete-provider-permissions | Missing read or write permission in a content provider |
CWE‑664 | Java | java/android/implicitly-exported-component | Implicitly exported Android component |
CWE‑664 | Java | java/android/implicit-pendingintents | Use of implicit PendingIntents |
CWE‑664 | Java | java/android/sensitive-communication | Leaking sensitive information through an implicit Intent |
CWE‑664 | Java | java/android/sensitive-result-receiver | Leaking sensitive information through a ResultReceiver |
CWE‑664 | Java | java/android/intent-redirection | Android Intent redirection |
CWE‑664 | Java | java/empty-finalizer | Empty body of finalizer |
CWE‑664 | Java | java/unassigned-field | Field is never assigned a non-null value |
CWE‑664 | Java | java/overly-general-catch | Overly-general catch clause |
CWE‑664 | Java | java/abstract-to-concrete-cast | Cast from abstract to concrete collection |
CWE‑664 | Java | java/internal-representation-exposure | Exposing internal representation |
CWE‑664 | Java | java/static-array | Array constant vulnerable to change |
CWE‑664 | Java | java/log4j-injection | Potential Log4J LDAP JNDI injection (CVE-2021-44228) |
CWE‑664 | Java | java/openstream-called-on-tainted-url | openStream called on URLs created from remote source |
CWE‑664 | Java | java/beanshell-injection | BeanShell injection |
CWE‑664 | Java | java/android-insecure-dex-loading | Insecure loading of an Android Dex File |
CWE‑664 | Java | java/jshell-injection | JShell injection |
CWE‑664 | Java | java/javaee-expression-injection | Jakarta Expression Language injection |
CWE‑664 | Java | java/jython-injection | Injection in Jython |
CWE‑664 | Java | java/unsafe-eval | Injection in Java Script Engine |
CWE‑664 | Java | java/spring-view-manipulation-implicit | Spring Implicit View Manipulation |
CWE‑664 | Java | java/spring-view-manipulation | Spring View Manipulation |
CWE‑664 | Java | java/insecure-webview-resource-response | Insecure Android WebView Resource Response |
CWE‑664 | Java | java/sensitive-android-file-leak | Leaking sensitive Android file |
CWE‑664 | Java | java/possible-timing-attack-against-signature | Possible timing attack against signature validation |
CWE‑664 | Java | java/timing-attack-against-headers-value | Timing attack against header value |
CWE‑664 | Java | java/timing-attack-against-signature | Timing attack against signature validation |
CWE‑664 | Java | java/ignored-hostname-verification | Ignored result of hostname verification |
CWE‑664 | Java | java/insecure-ldaps-endpoint | Insecure LDAPS Endpoint Configuration |
CWE‑664 | Java | java/disabled-certificate-revocation-checking | Disabled certificate revocation checking |
CWE‑664 | Java | java/unvalidated-cors-origin-set | CORS is derived from untrusted input |
CWE‑664 | Java | java/local-thread-resource-abuse | Uncontrolled thread resource consumption from local input source |
CWE‑664 | Java | java/thread-resource-abuse | Uncontrolled thread resource consumption |
CWE‑664 | Java | java/unsafe-reflection | Use of externally-controlled input to select classes or code ('unsafe reflection') |
CWE‑664 | Java | java/main-method-in-enterprise-bean | Main Method in Enterprise Java Bean |
CWE‑664 | Java | java/main-method-in-web-components | Main Method in Java EE Web Components |
CWE‑664 | Java | java/struts-development-mode | Apache Struts development mode enabled |
CWE‑664 | Java | java/unsafe-deserialization-rmi | Unsafe deserialization in a remotely callable method. |
CWE‑664 | Java | java/unsafe-deserialization-spring-exporter-in-configuration-class | Unsafe deserialization with Spring's remote service exporters. |
CWE‑664 | Java | java/unsafe-deserialization-spring-exporter-in-xml-configuration | Unsafe deserialization with Spring's remote service exporters. |
CWE‑664 | Java | java/server-directory-listing | Directories and files exposure |
CWE‑664 | Java | java/credentials-in-properties | Cleartext Credentials in Properties File |
CWE‑664 | Java | java/password-in-configuration | Password in configuration file |
CWE‑664 | Java | java/sensitive-query-with-get | Sensitive GET Query |
CWE‑664 | Java | java/spring-unvalidated-url-redirection | Spring url redirection from remote source |
CWE‑664 | Java | java/insecure-rmi-jmx-server-initialization | InsecureRmiJmxAuthenticationEnvironment |
CWE‑664 | Java | java/incorrect-url-verification | Incorrect URL verification |
CWE‑664 | JavaScript | js/alert-call | Invocation of alert |
CWE‑664 | JavaScript | js/unsafe-external-link | Potentially unsafe external link |
CWE‑664 | JavaScript | js/enabling-electron-insecure-content | Enabling Electron allowRunningInsecureContent |
CWE‑664 | JavaScript | js/enabling-electron-renderer-node-integration | Enabling Node.js integration for Electron web content renderers |
CWE‑664 | JavaScript | js/implicit-operand-conversion | Implicit operand conversion |
CWE‑664 | JavaScript | js/shift-out-of-range | Shift out of range |
CWE‑664 | JavaScript | js/debugger-statement | Use of debugger statement |
CWE‑664 | JavaScript | js/invalid-prototype-value | Invalid prototype value |
CWE‑664 | JavaScript | js/property-assignment-on-primitive | Assignment to property of primitive value |
CWE‑664 | JavaScript | js/polynomial-redos | Polynomial regular expression used on uncontrolled data |
CWE‑664 | JavaScript | js/redos | Inefficient regular expression |
CWE‑664 | JavaScript | js/missing-origin-check | Missing origin verification in postMessage handler |
CWE‑664 | JavaScript | js/path-injection | Uncontrolled data used in path expression |
CWE‑664 | JavaScript | js/zipslip | Arbitrary file access during archive extraction ("Zip Slip") |
CWE‑664 | JavaScript | js/template-object-injection | Template Object Injection |
CWE‑664 | JavaScript | js/code-injection | Code injection |
CWE‑664 | JavaScript | js/actions/command-injection | Expression injection in Actions |
CWE‑664 | JavaScript | js/bad-code-sanitization | Improper code sanitization |
CWE‑664 | JavaScript | js/unsafe-code-construction | Unsafe code constructed from library input |
CWE‑664 | JavaScript | js/unsafe-dynamic-method-access | Unsafe dynamic method access |
CWE‑664 | JavaScript | js/case-sensitive-middleware-path | Case-sensitive middleware path |
CWE‑664 | JavaScript | js/file-access-to-http | File data in outbound network request |
CWE‑664 | JavaScript | js/exposure-of-private-files | Exposure of private files |
CWE‑664 | JavaScript | js/cross-window-information-leak | Cross-window communication with unrestricted target origin |
CWE‑664 | JavaScript | js/stack-trace-exposure | Information exposure through a stack trace |
CWE‑664 | JavaScript | js/disabling-certificate-validation | Disabling certificate validation |
CWE‑664 | JavaScript | js/insecure-dependency | Dependency download using unencrypted communication channel |
CWE‑664 | JavaScript | js/build-artifact-leak | Storage of sensitive information in build artifact |
CWE‑664 | JavaScript | js/clear-text-logging | Clear-text logging of sensitive information |
CWE‑664 | JavaScript | js/clear-text-storage-of-sensitive-data | Clear text storage of sensitive information |
CWE‑664 | JavaScript | js/password-in-configuration-file | Password in configuration file |
CWE‑664 | JavaScript | js/cors-misconfiguration-for-credentials | CORS misconfiguration for credentials transfer |
CWE‑664 | JavaScript | js/insecure-temporary-file | Insecure temporary file |
CWE‑664 | JavaScript | js/session-fixation | Failure to abandon session |
CWE‑664 | JavaScript | js/resource-exhaustion-from-deep-object-traversal | Resources exhaustion from deep object traversal |
CWE‑664 | JavaScript | js/remote-property-injection | Remote property injection |
CWE‑664 | JavaScript | js/missing-x-frame-options | Missing X-Frame-Options HTTP header |
CWE‑664 | JavaScript | js/unsafe-deserialization | Deserialization of user-controlled data |
CWE‑664 | JavaScript | js/sensitive-get-query | Sensitive data read from GET request |
CWE‑664 | JavaScript | js/client-side-unvalidated-url-redirection | Client-side URL redirect |
CWE‑664 | JavaScript | js/server-side-unvalidated-url-redirection | Server-side URL redirect |
CWE‑664 | JavaScript | js/xxe | XML external entity expansion |
CWE‑664 | JavaScript | js/clear-text-cookie | Clear text transmission of sensitive cookie |
CWE‑664 | JavaScript | js/host-header-forgery-in-email-generation | Host header poisoning in email generation |
CWE‑664 | JavaScript | js/regex-injection | Regular expression injection |
CWE‑664 | JavaScript | js/missing-rate-limiting | Missing rate limiting |
CWE‑664 | JavaScript | js/resource-exhaustion | Resource exhaustion |
CWE‑664 | JavaScript | js/xml-bomb | XML internal entity expansion |
CWE‑664 | JavaScript | js/hardcoded-credentials | Hard-coded credentials |
CWE‑664 | JavaScript | js/user-controlled-bypass | User-controlled bypass of security check |
CWE‑664 | JavaScript | js/different-kinds-comparison-bypass | Comparison of user-controlled data of different kinds |
CWE‑664 | JavaScript | js/insecure-download | Download of sensitive file through insecure connection |
CWE‑664 | JavaScript | js/functionality-from-untrusted-source | Inclusion of functionality from an untrusted source |
CWE‑664 | JavaScript | js/type-confusion-through-parameter-tampering | Type confusion through parameter tampering |
CWE‑664 | JavaScript | js/empty-password-in-configuration-file | Empty password in configuration file |
CWE‑664 | JavaScript | js/http-to-file-access | Network data written to file |
CWE‑664 | JavaScript | js/prototype-polluting-assignment | Prototype-polluting assignment |
CWE‑664 | JavaScript | js/prototype-pollution-utility | Prototype-polluting function |
CWE‑664 | JavaScript | js/prototype-pollution | Prototype-polluting merge call |
CWE‑664 | JavaScript | js/client-side-request-forgery | Client-side request forgery |
CWE‑664 | JavaScript | js/request-forgery | Server-side request forgery |
CWE‑664 | JavaScript | js/actions/pull-request-target | Checkout of untrusted code in trusted context |
CWE‑664 | JavaScript | javascript/ssrf | Uncontrolled data used in network request |
CWE‑664 | JavaScript | js/code-injection-more-sources | Code injection with additional heuristic sources |
CWE‑664 | JavaScript | js/cors-misconfiguration-for-credentials-more-sources | CORS misconfiguration for credentials transfer with additional heuristic sources |
CWE‑664 | JavaScript | js/remote-property-injection-more-sources | Remote property injection with additional heuristic sources |
CWE‑664 | JavaScript | js/unsafe-deserialization-more-sources | Deserialization of user-controlled data with additional heuristic sources |
CWE‑664 | JavaScript | js/xxe-more-sources | XML external entity expansion with additional heuristic sources |
CWE‑664 | JavaScript | js/regex-injection-more-sources | Regular expression injection with additional heuristic sources |
CWE‑664 | JavaScript | js/resource-exhaustion-more-sources | Resource exhaustion with additional heuristic sources |
CWE‑664 | JavaScript | js/xml-bomb-more-sources | XML internal entity expansion with additional heuristic sources |
CWE‑664 | JavaScript | js/user-controlled-bypass-more-sources | User-controlled bypass of security check with additional heuristic sources |
CWE‑664 | JavaScript | js/prototype-polluting-assignment-more-sources | Prototype-polluting assignment with additional heuristic sources |
CWE‑664 | Python | py/catch-base-exception | Except block handles 'BaseException' |
CWE‑664 | Python | py/implicit-string-concatenation-in-list | Implicit string concatenation in a list |
CWE‑664 | Python | py/file-not-closed | File is not always closed |
CWE‑664 | Python | py/bind-socket-all-network-interfaces | Binding a socket to all network interfaces |
CWE‑664 | Python | py/path-injection | Uncontrolled data used in path expression |
CWE‑664 | Python | py/tarslip | Arbitrary file write during tarfile extraction |
CWE‑664 | Python | py/shell-command-constructed-from-input | Unsafe shell command constructed from library input |
CWE‑664 | Python | py/code-injection | Code injection |
CWE‑664 | Python | py/stack-trace-exposure | Information exposure through an exception |
CWE‑664 | Python | py/flask-debug | Flask app is run in debug mode |
CWE‑664 | Python | py/pam-auth-bypass | PAM authorization bypass due to incorrect usage |
CWE‑664 | Python | py/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑664 | Python | py/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑664 | Python | py/insecure-temporary-file | Insecure temporary file |
CWE‑664 | Python | py/unsafe-deserialization | Deserialization of user-controlled data |
CWE‑664 | Python | py/url-redirection | URL redirection from remote source |
CWE‑664 | Python | py/xxe | XML external entity expansion |
CWE‑664 | Python | py/polynomial-redos | Polynomial regular expression used on uncontrolled data |
CWE‑664 | Python | py/redos | Inefficient regular expression |
CWE‑664 | Python | py/regex-injection | Regular expression injection |
CWE‑664 | Python | py/overly-permissive-file | Overly permissive file permissions |
CWE‑664 | Python | py/xml-bomb | XML internal entity expansion |
CWE‑664 | Python | py/hardcoded-credentials | Hard-coded credentials |
CWE‑664 | Python | py/full-ssrf | Full server-side request forgery |
CWE‑664 | Python | py/partial-ssrf | Partial server-side request forgery |
CWE‑664 | Python | py/zipslip | Arbitrary file access during archive extraction ("Zip Slip") |
CWE‑664 | Python | py/tarslip-extended | Arbitrary file write during tarfile extraction |
CWE‑664 | Python | py/unsafe-unpacking | Arbitrary file write during a tarball extraction from a user controlled source |
CWE‑664 | Python | py/possible-timing-attack-against-hash | Timing attack against Hash |
CWE‑664 | Python | py/timing-attack-against-hash | Timing attack against Hash |
CWE‑664 | Python | py/timing-attack-against-header-value | Timing attack against header value |
CWE‑664 | Python | py/possible-timing-attack-sensitive-info | Timing attack against secret |
CWE‑664 | Python | py/timing-attack-sensitive-info | Timing attack against secret |
CWE‑664 | Python | py/flask-constant-secret-key | Initializing SECRET_KEY of Flask application with Constant value |
CWE‑664 | Python | py/improper-ldap-auth | Improper LDAP Authentication |
CWE‑664 | Python | py/insecure-ldap-auth | Python Insecure LDAP Authentication |
CWE‑664 | Python | py/simple-xml-rpc-server-dos | SimpleXMLRPCServer denial of service |
CWE‑664 | Ruby | rb/zip-slip | Arbitrary file access during archive extraction ("Zip Slip") |
CWE‑664 | Ruby | rb/user-controlled-bypass | User-controlled bypass of security check |
CWE‑664 | Ruby | rb/user-controlled-file-decompression | User-controlled file decompression |
CWE‑664 | Ruby | rb/improper-ldap-auth | Improper LDAP Authentication |
CWE‑664 | Ruby | rb/server-side-template-injection | Server-side template injection |
CWE‑664 | Ruby | rb/path-injection | Uncontrolled data used in path expression |
CWE‑664 | Ruby | rb/kernel-open | Use of Kernel.open , IO.read or similar sinks with user-controlled input |
CWE‑664 | Ruby | rb/non-constant-kernel-open | Use of Kernel.open or IO.read or similar sinks with a non-constant value |
CWE‑664 | Ruby | rb/shell-command-constructed-from-input | Unsafe shell command constructed from library input |
CWE‑664 | Ruby | rb/code-injection | Code injection |
CWE‑664 | Ruby | rb/unsafe-code-construction | Unsafe code constructed from library input |
CWE‑664 | Ruby | rb/polynomial-redos | Polynomial regular expression used on uncontrolled data |
CWE‑664 | Ruby | rb/redos | Inefficient regular expression |
CWE‑664 | Ruby | rb/regexp-injection | Regular expression injection |
CWE‑664 | Ruby | rb/stack-trace-exposure | Information exposure through an exception |
CWE‑664 | Ruby | rb/insecure-dependency | Dependency download using unencrypted communication channel |
CWE‑664 | Ruby | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑664 | Ruby | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑664 | Ruby | rb/unsafe-deserialization | Deserialization of user-controlled data |
CWE‑664 | Ruby | rb/sensitive-get-query | Sensitive data read from GET request |
CWE‑664 | Ruby | rb/url-redirection | URL redirection from remote source |
CWE‑664 | Ruby | rb/xxe | XML external entity expansion |
CWE‑664 | Ruby | rb/weak-cookie-configuration | Weak cookie configuration |
CWE‑664 | Ruby | rb/overly-permissive-file | Overly permissive file permissions |
CWE‑664 | Ruby | rb/hardcoded-credentials | Hard-coded credentials |
CWE‑664 | Ruby | rb/insecure-download | Download of sensitive file through insecure connection |
CWE‑664 | Ruby | rb/http-to-file-access | Network data written to file |
CWE‑664 | Ruby | rb/request-forgery | Server-side request forgery |
CWE‑664 | Swift | swift/path-injection | Uncontrolled data used in path expression |
CWE‑664 | Swift | swift/unsafe-webview-fetch | Unsafe WebView fetch |
CWE‑664 | Swift | swift/unsafe-js-eval | JavaScript Injection |
CWE‑664 | Swift | swift/redos | Inefficient regular expression |
CWE‑664 | Swift | swift/constant-password | Constant password |
CWE‑664 | Swift | swift/cleartext-storage-database | Cleartext storage of sensitive information in a local database |
CWE‑664 | Swift | swift/cleartext-logging | Cleartext logging of sensitive information |
CWE‑664 | Swift | swift/cleartext-storage-preferences | Cleartext storage of sensitive information in an application preference store |
CWE‑664 | Swift | swift/hardcoded-key | Hard-coded encryption key |
CWE‑664 | Swift | swift/xxe | Resolving XML external entity in user-controlled data |
CWE‑664 | Swift | swift/regex-injection | Regular expression injection |
CWE‑665 | C++ | cpp/global-use-before-init | Global variable may be used before initialization |
CWE‑665 | C++ | cpp/initialization-not-run | Initialization code not run |
CWE‑665 | C++ | cpp/not-initialised | Variable not initialized before use |
CWE‑665 | C++ | cpp/alloca-in-loop | Call to alloca in a loop |
CWE‑665 | C++ | cpp/improper-null-termination | Potential improper null termination |
CWE‑665 | C++ | cpp/uninitialized-local | Potentially uninitialized local variable |
CWE‑665 | C++ | cpp/uncontrolled-allocation-size | Overflow in uncontrolled allocation size |
CWE‑665 | C++ | cpp/conditionally-uninitialized-variable | Conditionally uninitialized variable |
CWE‑665 | C# | cs/unassigned-field | Field is never assigned a non-default value |
CWE‑665 | Java | java/unassigned-field | Field is never assigned a non-null value |
CWE‑665 | Java | java/insecure-rmi-jmx-server-initialization | InsecureRmiJmxAuthenticationEnvironment |
CWE‑665 | JavaScript | js/missing-rate-limiting | Missing rate limiting |
CWE‑665 | JavaScript | js/resource-exhaustion | Resource exhaustion |
CWE‑665 | JavaScript | js/resource-exhaustion-more-sources | Resource exhaustion with additional heuristic sources |
CWE‑665 | Python | py/implicit-string-concatenation-in-list | Implicit string concatenation in a list |
CWE‑666 | C++ | cpp/double-free | Potential double free |
CWE‑666 | C++ | cpp/use-after-free | Potential use after free |
CWE‑666 | C++ | cpp/return-stack-allocated-memory | Returning stack-allocated memory |
CWE‑666 | C++ | cpp/using-expired-stack-address | Use of expired stack-address |
CWE‑666 | C++ | cpp/self-assignment-check | Self assignment check |
CWE‑666 | C++ | cpp/experimental-double-free | Errors When Double Free |
CWE‑666 | C++ | cpp/dangerous-use-of-exception-blocks | Dangerous use of exception blocks. |
CWE‑666 | C++ | cpp/double-release | Errors When Double Release |
CWE‑667 | C++ | cpp/lock-order-cycle | Cyclic lock order dependency |
CWE‑667 | C++ | cpp/twice-locked | Mutex locked twice |
CWE‑667 | C++ | cpp/unreleased-lock | Lock may not be released |
CWE‑667 | C# | cs/locked-wait | A lock is held during a wait |
CWE‑667 | C# | cs/unsafe-double-checked-lock | Double-checked lock is not thread-safe |
CWE‑667 | Java | java/unsafe-double-checked-locking | Double-checked locking is not thread-safe |
CWE‑667 | Java | java/unsafe-double-checked-locking-init-order | Race condition in double-checked locking object initialization |
CWE‑667 | Java | java/lazy-initialization | Incorrect lazy initialization of a static field |
CWE‑667 | Java | java/sleep-with-lock-held | Sleep with lock held |
CWE‑667 | Java | java/unsynchronized-getter | Inconsistent synchronization of getter and setter |
CWE‑667 | Java | java/unreleased-lock | Unreleased lock |
CWE‑667 | Java | java/wait-with-two-locks | Wait with two locks held |
CWE‑667 | Java | java/lock-order-inconsistency | Lock order inconsistency |
CWE‑668 | C++ | cpp/path-injection | Uncontrolled data used in path expression |
CWE‑668 | C++ | cpp/cleartext-storage-file | Cleartext storage of sensitive information in file |
CWE‑668 | C++ | cpp/cleartext-transmission | Cleartext transmission of sensitive information |
CWE‑668 | C++ | cpp/unsafe-create-process-call | NULL application name with an unquoted path in call to CreateProcess |
CWE‑668 | C++ | cpp/system-data-exposure | Exposure of system data to an unauthorized control sphere |
CWE‑668 | C++ | cpp/potential-system-data-exposure | Potential exposure of sensitive system data to an unauthorized control sphere |
CWE‑668 | C++ | cpp/world-writable-file-creation | File created without restricting permissions |
CWE‑668 | C++ | cpp/open-call-with-mode-argument | File opened with O_CREAT flag but without mode argument |
CWE‑668 | C++ | cpp/unsafe-dacl-security-descriptor | Setting a DACL to NULL in a SECURITY_DESCRIPTOR |
CWE‑668 | C++ | cpp/work-with-file-without-permissions-rights | Writing to a file without setting permissions. |
CWE‑668 | C++ | cpp/wrong-use-of-the-umask | Find the wrong use of the umask function. |
CWE‑668 | C++ | cpp/private-cleartext-write | Exposure of private information |
CWE‑668 | C++ | cpp/insecure-generation-of-filename | Insecure generation of filenames. |
CWE‑668 | C# | cs/static-array | Array constant vulnerable to change |
CWE‑668 | C# | cs/web/html-hidden-input | Use of HTMLInputHidden |
CWE‑668 | C# | cs/empty-password-in-configuration | Empty password in configuration file |
CWE‑668 | C# | cs/password-in-configuration | Password in configuration file |
CWE‑668 | C# | cs/web/debug-binary | Creating an ASP.NET debug binary may reveal sensitive information |
CWE‑668 | C# | cs/path-injection | Uncontrolled data used in path expression |
CWE‑668 | C# | cs/zipslip | Arbitrary file access during archive extraction ("Zip Slip") |
CWE‑668 | C# | cs/sensitive-data-transmission | Information exposure through transmitted data |
CWE‑668 | C# | cs/information-exposure-through-exception | Information exposure through an exception |
CWE‑668 | C# | cs/cleartext-storage-of-sensitive-information | Clear text storage of sensitive information |
CWE‑668 | C# | cs/exposure-of-sensitive-information | Exposure of private information |
CWE‑668 | C# | cs/web/directory-browse-enabled | ASP.NET config file enables directory browsing |
CWE‑668 | C# | cs/web/persistent-cookie | Cookie security: persistent cookie |
CWE‑668 | C# | cs/webclient-path-injection | Uncontrolled data used in a WebClient |
CWE‑668 | Go | go/path-injection | Uncontrolled data used in path expression |
CWE‑668 | Go | go/unsafe-unzip-symlink | Arbitrary file write extracting an archive containing symbolic links |
CWE‑668 | Go | go/zipslip | Arbitrary file access during archive extraction ("Zip Slip") |
CWE‑668 | Go | go/stack-trace-exposure | Information exposure through a stack trace |
CWE‑668 | Go | go/clear-text-logging | Clear-text logging of sensitive information |
CWE‑668 | Go | go/timing-attack | Timing attacks due to comparison of sensitive secrets |
CWE‑668 | Go | go/cors-misconfiguration | CORS misconfiguration |
CWE‑668 | Java | java/path-injection | Uncontrolled data used in path expression |
CWE‑668 | Java | java/path-injection-local | Local-user-controlled data in path expression |
CWE‑668 | Java | java/zipslip | Arbitrary file access during archive extraction ("Zip Slip") |
CWE‑668 | Java | java/partial-path-traversal | Partial path traversal vulnerability |
CWE‑668 | Java | java/partial-path-traversal-from-remote | Partial path traversal vulnerability from remote |
CWE‑668 | Java | java/android/websettings-allow-content-access | Android WebView settings allows access to content links |
CWE‑668 | Java | java/android/websettings-file-access | Android WebSettings file access |
CWE‑668 | Java | java/local-temp-file-or-directory-information-disclosure | Local information disclosure in a temporary directory |
CWE‑668 | Java | java/stack-trace-exposure | Information exposure through a stack trace |
CWE‑668 | Java | java/insecure-basic-auth | Insecure basic authentication |
CWE‑668 | Java | java/insecure-ldap-auth | Insecure LDAP authentication |
CWE‑668 | Java | java/android/sensitive-keyboard-cache | Android sensitive keyboard cache |
CWE‑668 | Java | java/sensitive-log | Insertion of sensitive information into log files |
CWE‑668 | Java | java/world-writable-file-read | Reading from a world writable file |
CWE‑668 | Java | java/android/implicit-pendingintents | Use of implicit PendingIntents |
CWE‑668 | Java | java/android/sensitive-communication | Leaking sensitive information through an implicit Intent |
CWE‑668 | Java | java/android/sensitive-result-receiver | Leaking sensitive information through a ResultReceiver |
CWE‑668 | Java | java/static-array | Array constant vulnerable to change |
CWE‑668 | Java | java/openstream-called-on-tainted-url | openStream called on URLs created from remote source |
CWE‑668 | Java | java/insecure-webview-resource-response | Insecure Android WebView Resource Response |
CWE‑668 | Java | java/sensitive-android-file-leak | Leaking sensitive Android file |
CWE‑668 | Java | java/possible-timing-attack-against-signature | Possible timing attack against signature validation |
CWE‑668 | Java | java/timing-attack-against-headers-value | Timing attack against header value |
CWE‑668 | Java | java/timing-attack-against-signature | Timing attack against signature validation |
CWE‑668 | Java | java/server-directory-listing | Directories and files exposure |
CWE‑668 | Java | java/credentials-in-properties | Cleartext Credentials in Properties File |
CWE‑668 | Java | java/password-in-configuration | Password in configuration file |
CWE‑668 | Java | java/sensitive-query-with-get | Sensitive GET Query |
CWE‑668 | JavaScript | js/unsafe-external-link | Potentially unsafe external link |
CWE‑668 | JavaScript | js/path-injection | Uncontrolled data used in path expression |
CWE‑668 | JavaScript | js/zipslip | Arbitrary file access during archive extraction ("Zip Slip") |
CWE‑668 | JavaScript | js/template-object-injection | Template Object Injection |
CWE‑668 | JavaScript | js/file-access-to-http | File data in outbound network request |
CWE‑668 | JavaScript | js/exposure-of-private-files | Exposure of private files |
CWE‑668 | JavaScript | js/cross-window-information-leak | Cross-window communication with unrestricted target origin |
CWE‑668 | JavaScript | js/stack-trace-exposure | Information exposure through a stack trace |
CWE‑668 | JavaScript | js/build-artifact-leak | Storage of sensitive information in build artifact |
CWE‑668 | JavaScript | js/clear-text-logging | Clear-text logging of sensitive information |
CWE‑668 | JavaScript | js/clear-text-storage-of-sensitive-data | Clear text storage of sensitive information |
CWE‑668 | JavaScript | js/password-in-configuration-file | Password in configuration file |
CWE‑668 | JavaScript | js/cors-misconfiguration-for-credentials | CORS misconfiguration for credentials transfer |
CWE‑668 | JavaScript | js/insecure-temporary-file | Insecure temporary file |
CWE‑668 | JavaScript | js/sensitive-get-query | Sensitive data read from GET request |
CWE‑668 | JavaScript | js/empty-password-in-configuration-file | Empty password in configuration file |
CWE‑668 | JavaScript | js/cors-misconfiguration-for-credentials-more-sources | CORS misconfiguration for credentials transfer with additional heuristic sources |
CWE‑668 | Python | py/bind-socket-all-network-interfaces | Binding a socket to all network interfaces |
CWE‑668 | Python | py/path-injection | Uncontrolled data used in path expression |
CWE‑668 | Python | py/tarslip | Arbitrary file write during tarfile extraction |
CWE‑668 | Python | py/shell-command-constructed-from-input | Unsafe shell command constructed from library input |
CWE‑668 | Python | py/stack-trace-exposure | Information exposure through an exception |
CWE‑668 | Python | py/flask-debug | Flask app is run in debug mode |
CWE‑668 | Python | py/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑668 | Python | py/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑668 | Python | py/insecure-temporary-file | Insecure temporary file |
CWE‑668 | Python | py/overly-permissive-file | Overly permissive file permissions |
CWE‑668 | Python | py/zipslip | Arbitrary file access during archive extraction ("Zip Slip") |
CWE‑668 | Python | py/tarslip-extended | Arbitrary file write during tarfile extraction |
CWE‑668 | Python | py/unsafe-unpacking | Arbitrary file write during a tarball extraction from a user controlled source |
CWE‑668 | Python | py/possible-timing-attack-against-hash | Timing attack against Hash |
CWE‑668 | Python | py/timing-attack-against-hash | Timing attack against Hash |
CWE‑668 | Python | py/timing-attack-against-header-value | Timing attack against header value |
CWE‑668 | Python | py/possible-timing-attack-sensitive-info | Timing attack against secret |
CWE‑668 | Python | py/timing-attack-sensitive-info | Timing attack against secret |
CWE‑668 | Python | py/insecure-ldap-auth | Python Insecure LDAP Authentication |
CWE‑668 | Ruby | rb/zip-slip | Arbitrary file access during archive extraction ("Zip Slip") |
CWE‑668 | Ruby | rb/path-injection | Uncontrolled data used in path expression |
CWE‑668 | Ruby | rb/kernel-open | Use of Kernel.open , IO.read or similar sinks with user-controlled input |
CWE‑668 | Ruby | rb/non-constant-kernel-open | Use of Kernel.open or IO.read or similar sinks with a non-constant value |
CWE‑668 | Ruby | rb/shell-command-constructed-from-input | Unsafe shell command constructed from library input |
CWE‑668 | Ruby | rb/stack-trace-exposure | Information exposure through an exception |
CWE‑668 | Ruby | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑668 | Ruby | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑668 | Ruby | rb/sensitive-get-query | Sensitive data read from GET request |
CWE‑668 | Ruby | rb/weak-cookie-configuration | Weak cookie configuration |
CWE‑668 | Ruby | rb/overly-permissive-file | Overly permissive file permissions |
CWE‑668 | Swift | swift/path-injection | Uncontrolled data used in path expression |
CWE‑668 | Swift | swift/cleartext-logging | Cleartext logging of sensitive information |
CWE‑669 | C++ | cpp/work-with-changing-working-directories | Find work with changing working directories, with security errors. |
CWE‑669 | C# | cs/web/file-upload | Use of file upload |
CWE‑669 | C# | cs/web/missing-x-frame-options | Missing X-Frame-Options HTTP header |
CWE‑669 | C# | cs/xml/insecure-dtd-handling | Untrusted XML is read insecurely |
CWE‑669 | C# | cs/insecure-xml-read | XML is read insecurely |
CWE‑669 | Java | java/xxe | Resolving XML external entity in user-controlled data |
CWE‑669 | Java | java/xxe-local | Resolving XML external entity in user-controlled data from local source |
CWE‑669 | Java | java/maven/non-https-url | Failure to use HTTPS or SFTP URL in Maven artifact upload/download |
CWE‑669 | JavaScript | js/enabling-electron-insecure-content | Enabling Electron allowRunningInsecureContent |
CWE‑669 | JavaScript | js/insecure-dependency | Dependency download using unencrypted communication channel |
CWE‑669 | JavaScript | js/missing-x-frame-options | Missing X-Frame-Options HTTP header |
CWE‑669 | JavaScript | js/xxe | XML external entity expansion |
CWE‑669 | JavaScript | js/insecure-download | Download of sensitive file through insecure connection |
CWE‑669 | JavaScript | js/functionality-from-untrusted-source | Inclusion of functionality from an untrusted source |
CWE‑669 | JavaScript | js/http-to-file-access | Network data written to file |
CWE‑669 | JavaScript | js/xxe-more-sources | XML external entity expansion with additional heuristic sources |
CWE‑669 | Python | py/xxe | XML external entity expansion |
CWE‑669 | Ruby | rb/insecure-dependency | Dependency download using unencrypted communication channel |
CWE‑669 | Ruby | rb/xxe | XML external entity expansion |
CWE‑669 | Ruby | rb/insecure-download | Download of sensitive file through insecure connection |
CWE‑669 | Ruby | rb/http-to-file-access | Network data written to file |
CWE‑669 | Swift | swift/xxe | Resolving XML external entity in user-controlled data |
CWE‑670 | C++ | cpp/comma-before-misleading-indentation | Comma before misleading indentation |
CWE‑670 | C++ | cpp/assign-where-compare-meant | Assignment where comparison was intended |
CWE‑670 | C++ | cpp/compare-where-assign-meant | Comparison where assignment was intended |
CWE‑670 | C++ | cpp/incorrect-not-operator-usage | Incorrect 'not' operator usage |
CWE‑670 | C++ | cpp/logical-operator-applied-to-flag | Short-circuiting operator applied to flag |
CWE‑670 | C++ | cpp/unsafe-use-of-this | Unsafe use of this in constructor |
CWE‑670 | C++ | cpp/dangerous-use-of-ssl-shutdown | Dangerous use SSL_shutdown. |
CWE‑670 | C++ | cpp/operator-precedence-logic-error-when-use-bitwise-logical-operations | Operator Precedence Logic Error When Use Bitwise Or Logical Operations |
CWE‑670 | C++ | cpp/operator-precedence-logic-error-when-use-bool-type | Operator Precedence Logic Error When Use Bool Type |
CWE‑670 | C# | cs/non-short-circuit | Potentially dangerous use of non-short-circuit logic |
CWE‑670 | Go | go/whitespace-contradicts-precedence | Whitespace contradicts operator precedence |
CWE‑670 | Go | go/useless-expression | Expression has no effect |
CWE‑670 | Go | go/redundant-operation | Identical operands |
CWE‑670 | Go | go/redundant-assignment | Self assignment |
CWE‑670 | Java | java/whitespace-contradicts-precedence | Whitespace contradicts operator precedence |
CWE‑670 | Java | java/assignment-in-boolean-expression | Assignment in Boolean expression |
CWE‑670 | Java | java/reference-equality-on-strings | Reference equality test on strings |
CWE‑670 | Java | java/switch-fall-through | Unterminated switch case |
CWE‑670 | JavaScript | js/useless-expression | Expression has no effect |
CWE‑670 | JavaScript | js/redundant-operation | Identical operands |
CWE‑670 | JavaScript | js/redundant-assignment | Self assignment |
CWE‑670 | JavaScript | js/unclear-operator-precedence | Unclear precedence of nested operators |
CWE‑670 | JavaScript | js/whitespace-contradicts-precedence | Whitespace contradicts operator precedence |
CWE‑670 | JavaScript | js/deletion-of-non-property | Deleting non-property |
CWE‑670 | JavaScript | js/misleading-indentation-of-dangling-else | Misleading indentation of dangling 'else' |
CWE‑670 | JavaScript | js/misleading-indentation-after-control-statement | Misleading indentation after control statement |
CWE‑670 | Python | py/asserts-tuple | Asserting a tuple |
CWE‑671 | C# | cs/hard-coded-symmetric-encryption-key | Hard-coded symmetric encryption key |
CWE‑671 | C# | cs/hardcoded-connection-string-credentials | Hard-coded connection string with credentials |
CWE‑671 | C# | cs/hardcoded-credentials | Hard-coded credentials |
CWE‑671 | Go | go/hardcoded-credentials | Hard-coded credentials |
CWE‑671 | Go | go/hardcoded-key | Use of a hardcoded key for signing JWT |
CWE‑671 | Java | java/hardcoded-credential-api-call | Hard-coded credential in API call |
CWE‑671 | Java | java/hardcoded-credential-comparison | Hard-coded credential comparison |
CWE‑671 | Java | java/hardcoded-credential-sensitive-call | Hard-coded credential in sensitive call |
CWE‑671 | Java | java/hardcoded-password-field | Hard-coded password field |
CWE‑671 | JavaScript | js/hardcoded-credentials | Hard-coded credentials |
CWE‑671 | Python | py/hardcoded-credentials | Hard-coded credentials |
CWE‑671 | Ruby | rb/hardcoded-credentials | Hard-coded credentials |
CWE‑671 | Swift | swift/constant-password | Constant password |
CWE‑671 | Swift | swift/hardcoded-key | Hard-coded encryption key |
CWE‑672 | C++ | cpp/double-free | Potential double free |
CWE‑672 | C++ | cpp/use-after-free | Potential use after free |
CWE‑672 | C++ | cpp/return-stack-allocated-memory | Returning stack-allocated memory |
CWE‑672 | C++ | cpp/using-expired-stack-address | Use of expired stack-address |
CWE‑672 | C++ | cpp/experimental-double-free | Errors When Double Free |
CWE‑672 | C++ | cpp/dangerous-use-of-exception-blocks | Dangerous use of exception blocks. |
CWE‑674 | C# | cs/xml/insecure-dtd-handling | Untrusted XML is read insecurely |
CWE‑674 | C# | cs/insecure-xml-read | XML is read insecurely |
CWE‑674 | Java | java/xxe | Resolving XML external entity in user-controlled data |
CWE‑674 | Java | java/xxe-local | Resolving XML external entity in user-controlled data from local source |
CWE‑674 | JavaScript | js/xml-bomb | XML internal entity expansion |
CWE‑674 | JavaScript | js/xml-bomb-more-sources | XML internal entity expansion with additional heuristic sources |
CWE‑674 | Python | py/xml-bomb | XML internal entity expansion |
CWE‑674 | Python | py/simple-xml-rpc-server-dos | SimpleXMLRPCServer denial of service |
CWE‑674 | Ruby | rb/xxe | XML external entity expansion |
CWE‑674 | Swift | swift/xxe | Resolving XML external entity in user-controlled data |
CWE‑675 | C++ | cpp/double-free | Potential double free |
CWE‑675 | C++ | cpp/lock-order-cycle | Cyclic lock order dependency |
CWE‑675 | C++ | cpp/twice-locked | Mutex locked twice |
CWE‑675 | C++ | cpp/unreleased-lock | Lock may not be released |
CWE‑675 | C++ | cpp/experimental-double-free | Errors When Double Free |
CWE‑675 | C++ | cpp/dangerous-use-of-exception-blocks | Dangerous use of exception blocks. |
CWE‑675 | C++ | cpp/double-release | Errors When Double Release |
CWE‑675 | Java | java/unreleased-lock | Unreleased lock |
CWE‑676 | C++ | cpp/bad-strncpy-size | Possibly wrong buffer size in string copy |
CWE‑676 | C++ | cpp/suspicious-call-to-memset | Suspicious call to memset |
CWE‑676 | C++ | cpp/unsafe-strncat | Potentially unsafe call to strncat |
CWE‑676 | C++ | cpp/unsafe-strcat | Potentially unsafe use of strcat |
CWE‑676 | C++ | cpp/dangerous-function-overflow | Use of dangerous function |
CWE‑676 | C++ | cpp/dangerous-cin | Dangerous use of 'cin' |
CWE‑676 | C++ | cpp/potentially-dangerous-function | Use of potentially dangerous function |
CWE‑676 | Java | java/potentially-dangerous-function | Use of a potentially dangerous function |
CWE‑676 | JavaScript | js/eval-like-call | Call to eval-like DOM function |
CWE‑676 | JavaScript | js/eval-call | Use of eval |
CWE‑681 | C++ | cpp/bad-addition-overflow-check | Bad check for overflow of integer addition |
CWE‑681 | C++ | cpp/integer-multiplication-cast-to-long | Multiplication result converted to larger type |
CWE‑681 | C++ | cpp/comparison-with-wider-type | Comparison of narrow type with wide type in loop condition |
CWE‑681 | C++ | cpp/integer-overflow-tainted | Potential integer arithmetic overflow |
CWE‑681 | C# | cs/loss-of-precision | Possible loss of precision |
CWE‑681 | Go | go/shift-out-of-range | Shift out of range |
CWE‑681 | Go | go/incorrect-integer-conversion | Incorrect conversion between integer types |
CWE‑681 | Java | java/implicit-cast-in-compound-assignment | Implicit narrowing conversion in compound assignment |
CWE‑681 | Java | java/integer-multiplication-cast-to-long | Result of multiplication cast to wider type |
CWE‑681 | Java | java/comparison-with-wider-type | Comparison of narrow type with wide type in loop condition |
CWE‑681 | Java | java/tainted-numeric-cast | User-controlled data in numeric cast |
CWE‑681 | Java | java/tainted-numeric-cast-local | Local-user-controlled data in numeric cast |
CWE‑681 | JavaScript | js/shift-out-of-range | Shift out of range |
CWE‑682 | C++ | cpp/overflow-calculated | Buffer not sufficient for string |
CWE‑682 | C++ | cpp/overflow-destination | Copy function using source size |
CWE‑682 | C++ | cpp/static-buffer-overflow | Static array access may cause overflow |
CWE‑682 | C++ | cpp/allocation-too-small | Not enough memory allocated for pointer type |
CWE‑682 | C++ | cpp/suspicious-allocation-size | Not enough memory allocated for array of pointer type |
CWE‑682 | C++ | cpp/ambiguously-signed-bit-field | Ambiguously signed bit-field member |
CWE‑682 | C++ | cpp/bad-addition-overflow-check | Bad check for overflow of integer addition |
CWE‑682 | C++ | cpp/integer-multiplication-cast-to-long | Multiplication result converted to larger type |
CWE‑682 | C++ | cpp/signed-overflow-check | Signed overflow check |
CWE‑682 | C++ | cpp/overflowing-snprintf | Potentially overflowing call to snprintf |
CWE‑682 | C++ | cpp/suspicious-sizeof | Suspicious 'sizeof' use |
CWE‑682 | C++ | cpp/overrun-write | Overrunning write |
CWE‑682 | C++ | cpp/no-space-for-terminator | No space for zero terminator |
CWE‑682 | C++ | cpp/tainted-arithmetic | User-controlled data in arithmetic expression |
CWE‑682 | C++ | cpp/uncontrolled-arithmetic | Uncontrolled data in arithmetic expression |
CWE‑682 | C++ | cpp/arithmetic-with-extreme-values | Use of extreme values in arithmetic expression |
CWE‑682 | C++ | cpp/comparison-with-wider-type | Comparison of narrow type with wide type in loop condition |
CWE‑682 | C++ | cpp/integer-overflow-tainted | Potential integer arithmetic overflow |
CWE‑682 | C++ | cpp/uncontrolled-allocation-size | Overflow in uncontrolled allocation size |
CWE‑682 | C++ | cpp/unsigned-difference-expression-compared-zero | Unsigned difference expression compared to zero |
CWE‑682 | C++ | cpp/invalid-pointer-deref | Invalid pointer dereference |
CWE‑682 | C++ | cpp/suspicious-pointer-scaling | Suspicious pointer scaling |
CWE‑682 | C++ | cpp/incorrect-pointer-scaling-char | Suspicious pointer scaling to char |
CWE‑682 | C++ | cpp/suspicious-pointer-scaling-void | Suspicious pointer scaling to void |
CWE‑682 | C++ | cpp/suspicious-add-sizeof | Suspicious add with sizeof |
CWE‑682 | C++ | cpp/multiplication-overflow-in-alloc | Multiplication result may overflow and be used in allocation |
CWE‑682 | C++ | cpp/dangerous-use-of-transformation-after-operation | Dangerous use of transformation after operation. |
CWE‑682 | C++ | cpp/divide-by-zero-using-return-value | Divide by zero using return value |
CWE‑682 | C++ | cpp/signed-bit-field | Possible signed bit-field member |
CWE‑682 | C# | cs/index-out-of-bounds | Off-by-one comparison against container length |
CWE‑682 | C# | cs/loss-of-precision | Possible loss of precision |
CWE‑682 | Go | go/index-out-of-bounds | Off-by-one comparison against length |
CWE‑682 | Go | go/allocation-size-overflow | Size computation for allocation may overflow |
CWE‑682 | Go | go/incorrect-integer-conversion | Incorrect conversion between integer types |
CWE‑682 | Go | go/divide-by-zero | Divide by zero |
CWE‑682 | Java | java/implicit-cast-in-compound-assignment | Implicit narrowing conversion in compound assignment |
CWE‑682 | Java | java/integer-multiplication-cast-to-long | Result of multiplication cast to wider type |
CWE‑682 | Java | java/index-out-of-bounds | Array index out of bounds |
CWE‑682 | Java | java/tainted-arithmetic | User-controlled data in arithmetic expression |
CWE‑682 | Java | java/tainted-arithmetic-local | Local-user-controlled data in arithmetic expression |
CWE‑682 | Java | java/uncontrolled-arithmetic | Uncontrolled data in arithmetic expression |
CWE‑682 | Java | java/extreme-value-arithmetic | Use of extreme values in arithmetic expression |
CWE‑682 | Java | java/comparison-with-wider-type | Comparison of narrow type with wide type in loop condition |
CWE‑682 | JavaScript | js/index-out-of-bounds | Off-by-one comparison against length |
CWE‑682 | Swift | swift/string-length-conflation | String length conflation |
CWE‑684 | C# | cs/web/missing-x-frame-options | Missing X-Frame-Options HTTP header |
CWE‑684 | JavaScript | js/missing-x-frame-options | Missing X-Frame-Options HTTP header |
CWE‑685 | C++ | cpp/wrong-number-format-arguments | Too few arguments to formatting function |
CWE‑685 | C++ | cpp/too-few-arguments | Call to function with fewer arguments than declared parameters |
CWE‑685 | Java | java/missing-format-argument | Missing format argument |
CWE‑685 | Java | java/unused-format-argument | Unused format argument |
CWE‑685 | JavaScript | js/superfluous-trailing-arguments | Superfluous trailing arguments |
CWE‑685 | Python | py/call/wrong-number-class-arguments | Wrong number of arguments in a class instantiation |
CWE‑685 | Python | py/percent-format/wrong-arguments | Wrong number of arguments for format |
CWE‑685 | Python | py/call/wrong-arguments | Wrong number of arguments in a call |
CWE‑686 | C++ | cpp/wrong-type-format-argument | Wrong type of arguments to formatting function |
CWE‑687 | C++ | cpp/wrong-use-of-the-umask | Find the wrong use of the umask function. |
CWE‑687 | Python | py/super-not-enclosing-class | First argument to super() is not enclosing class |
CWE‑691 | C++ | cpp/comma-before-misleading-indentation | Comma before misleading indentation |
CWE‑691 | C++ | cpp/assign-where-compare-meant | Assignment where comparison was intended |
CWE‑691 | C++ | cpp/compare-where-assign-meant | Comparison where assignment was intended |
CWE‑691 | C++ | cpp/incorrect-not-operator-usage | Incorrect 'not' operator usage |
CWE‑691 | C++ | cpp/logical-operator-applied-to-flag | Short-circuiting operator applied to flag |
CWE‑691 | C++ | cpp/inconsistent-loop-direction | Inconsistent direction of for loop |
CWE‑691 | C++ | cpp/unsafe-use-of-this | Unsafe use of this in constructor |
CWE‑691 | C++ | cpp/comparison-with-wider-type | Comparison of narrow type with wide type in loop condition |
CWE‑691 | C++ | cpp/toctou-race-condition | Time-of-check time-of-use filesystem race condition |
CWE‑691 | C++ | cpp/lock-order-cycle | Cyclic lock order dependency |
CWE‑691 | C++ | cpp/twice-locked | Mutex locked twice |
CWE‑691 | C++ | cpp/unreleased-lock | Lock may not be released |
CWE‑691 | C++ | cpp/infinite-loop-with-unsatisfiable-exit-condition | Infinite loop with unsatisfiable exit condition |
CWE‑691 | C++ | cpp/linux-kernel-double-fetch-vulnerability | Linux kernel double-fetch vulnerability detection |
CWE‑691 | C++ | cpp/operator-find-incorrectly-used-switch | Incorrect switch statement |
CWE‑691 | C++ | cpp/dangerous-use-of-ssl-shutdown | Dangerous use SSL_shutdown. |
CWE‑691 | C++ | cpp/errors-after-refactoring | Errors After Refactoring |
CWE‑691 | C++ | cpp/errors-when-using-bit-operations | Errors When Using Bit Operations |
CWE‑691 | C++ | cpp/operator-find-incorrectly-used-exceptions | Operator Find Incorrectly Used Exceptions |
CWE‑691 | C++ | cpp/operator-precedence-logic-error-when-use-bitwise-logical-operations | Operator Precedence Logic Error When Use Bitwise Or Logical Operations |
CWE‑691 | C++ | cpp/operator-precedence-logic-error-when-use-bool-type | Operator Precedence Logic Error When Use Bool Type |
CWE‑691 | C# | cs/catch-nullreferenceexception | Poor error handling: catch of NullReferenceException |
CWE‑691 | C# | cs/constant-condition | Constant condition |
CWE‑691 | C# | cs/unsafe-sync-on-field | Futile synchronization on field |
CWE‑691 | C# | cs/inconsistent-lock-sequence | Inconsistent lock sequence |
CWE‑691 | C# | cs/lock-this | Locking the 'this' object in a lock statement |
CWE‑691 | C# | cs/locked-wait | A lock is held during a wait |
CWE‑691 | C# | cs/unsynchronized-getter | Inconsistently synchronized property |
CWE‑691 | C# | cs/unsafe-double-checked-lock | Double-checked lock is not thread-safe |
CWE‑691 | C# | cs/unsynchronized-static-access | Unsynchronized access to static collection member in non-static context |
CWE‑691 | C# | cs/catch-of-all-exceptions | Generic catch clause |
CWE‑691 | C# | cs/non-short-circuit | Potentially dangerous use of non-short-circuit logic |
CWE‑691 | C# | cs/thread-unsafe-icryptotransform-field-in-class | Thread-unsafe use of a static ICryptoTransform field |
CWE‑691 | C# | cs/thread-unsafe-icryptotransform-captured-in-lambda | Thread-unsafe capturing of an ICryptoTransform object |
CWE‑691 | C# | cs/linq/inconsistent-enumeration | Bad multiple iteration |
CWE‑691 | C# | cs/code-injection | Improper control of generation of code |
CWE‑691 | C# | cs/web/missing-global-error-handler | Missing global error handler |
CWE‑691 | C# | cs/xml/insecure-dtd-handling | Untrusted XML is read insecurely |
CWE‑691 | C# | cs/insecure-xml-read | XML is read insecurely |
CWE‑691 | Go | go/inconsistent-loop-direction | Inconsistent direction of for loop |
CWE‑691 | Go | go/whitespace-contradicts-precedence | Whitespace contradicts operator precedence |
CWE‑691 | Go | go/useless-expression | Expression has no effect |
CWE‑691 | Go | go/redundant-operation | Identical operands |
CWE‑691 | Go | go/redundant-assignment | Self assignment |
CWE‑691 | Go | go/unsafe-quoting | Potentially unsafe quoting |
CWE‑691 | Java | java/ejb/container-interference | EJB interferes with container operation |
CWE‑691 | Java | java/ejb/synchronization | EJB uses synchronization |
CWE‑691 | Java | java/whitespace-contradicts-precedence | Whitespace contradicts operator precedence |
CWE‑691 | Java | java/assignment-in-boolean-expression | Assignment in Boolean expression |
CWE‑691 | Java | java/reference-equality-on-strings | Reference equality test on strings |
CWE‑691 | Java | java/wait-on-condition-interface | Wait on condition |
CWE‑691 | Java | java/call-to-thread-run | Direct call to a run() method |
CWE‑691 | Java | java/unsafe-double-checked-locking | Double-checked locking is not thread-safe |
CWE‑691 | Java | java/unsafe-double-checked-locking-init-order | Race condition in double-checked locking object initialization |
CWE‑691 | Java | java/unsafe-sync-on-field | Futile synchronization on field |
CWE‑691 | Java | java/inconsistent-field-synchronization | Inconsistent synchronization for field |
CWE‑691 | Java | java/lazy-initialization | Incorrect lazy initialization of a static field |
CWE‑691 | Java | java/non-sync-override | Non-synchronized override of synchronized method |
CWE‑691 | Java | java/notify-instead-of-notify-all | notify instead of notifyAll |
CWE‑691 | Java | java/sleep-with-lock-held | Sleep with lock held |
CWE‑691 | Java | java/sync-on-boxed-types | Synchronization on boxed types or strings |
CWE‑691 | Java | java/unsynchronized-getter | Inconsistent synchronization of getter and setter |
CWE‑691 | Java | java/inconsistent-sync-writeobject | Inconsistent synchronization for writeObject() |
CWE‑691 | Java | java/unreleased-lock | Unreleased lock |
CWE‑691 | Java | java/wait-with-two-locks | Wait with two locks held |
CWE‑691 | Java | java/non-short-circuit-evaluation | Dangerous non-short-circuit logic |
CWE‑691 | Java | java/constant-loop-condition | Constant loop condition |
CWE‑691 | Java | java/android/arbitrary-apk-installation | Android APK installation |
CWE‑691 | Java | java/groovy-injection | Groovy Language injection |
CWE‑691 | Java | java/insecure-bean-validation | Insecure Bean Validation |
CWE‑691 | Java | java/jexl-expression-injection | Expression language injection (JEXL) |
CWE‑691 | Java | java/mvel-expression-injection | Expression language injection (MVEL) |
CWE‑691 | Java | java/spel-expression-injection | Expression language injection (Spring) |
CWE‑691 | Java | java/server-side-template-injection | Server-side template injection |
CWE‑691 | Java | java/toctou-race-condition | Time-of-check time-of-use race condition |
CWE‑691 | Java | java/socket-auth-race-condition | Race condition in socket authentication |
CWE‑691 | Java | java/xxe | Resolving XML external entity in user-controlled data |
CWE‑691 | Java | java/xxe-local | Resolving XML external entity in user-controlled data from local source |
CWE‑691 | Java | java/android/unsafe-android-webview-fetch | Unsafe resource fetching in Android WebView |
CWE‑691 | Java | java/lock-order-inconsistency | Lock order inconsistency |
CWE‑691 | Java | java/unreachable-exit-in-loop | Loop with unreachable exit condition |
CWE‑691 | Java | java/switch-fall-through | Unterminated switch case |
CWE‑691 | Java | java/overly-general-catch | Overly-general catch clause |
CWE‑691 | Java | java/uncaught-number-format-exception | Missing catch of NumberFormatException |
CWE‑691 | Java | java/jvm-exit | Forcible JVM termination |
CWE‑691 | Java | java/abnormal-finally-completion | Finally block may not complete normally |
CWE‑691 | Java | java/beanshell-injection | BeanShell injection |
CWE‑691 | Java | java/android-insecure-dex-loading | Insecure loading of an Android Dex File |
CWE‑691 | Java | java/jshell-injection | JShell injection |
CWE‑691 | Java | java/javaee-expression-injection | Jakarta Expression Language injection |
CWE‑691 | Java | java/jython-injection | Injection in Jython |
CWE‑691 | Java | java/unsafe-eval | Injection in Java Script Engine |
CWE‑691 | Java | java/spring-view-manipulation-implicit | Spring Implicit View Manipulation |
CWE‑691 | Java | java/spring-view-manipulation | Spring View Manipulation |
CWE‑691 | Java | java/uncaught-servlet-exception | Uncaught Servlet Exception |
CWE‑691 | JavaScript | js/enabling-electron-renderer-node-integration | Enabling Node.js integration for Electron web content renderers |
CWE‑691 | JavaScript | js/useless-expression | Expression has no effect |
CWE‑691 | JavaScript | js/redundant-operation | Identical operands |
CWE‑691 | JavaScript | js/redundant-assignment | Self assignment |
CWE‑691 | JavaScript | js/unclear-operator-precedence | Unclear precedence of nested operators |
CWE‑691 | JavaScript | js/whitespace-contradicts-precedence | Whitespace contradicts operator precedence |
CWE‑691 | JavaScript | js/deletion-of-non-property | Deleting non-property |
CWE‑691 | JavaScript | js/exit-from-finally | Jump from finally |
CWE‑691 | JavaScript | js/template-object-injection | Template Object Injection |
CWE‑691 | JavaScript | js/code-injection | Code injection |
CWE‑691 | JavaScript | js/actions/command-injection | Expression injection in Actions |
CWE‑691 | JavaScript | js/bad-code-sanitization | Improper code sanitization |
CWE‑691 | JavaScript | js/unsafe-code-construction | Unsafe code constructed from library input |
CWE‑691 | JavaScript | js/unsafe-dynamic-method-access | Unsafe dynamic method access |
CWE‑691 | JavaScript | js/file-system-race | Potential file system race condition |
CWE‑691 | JavaScript | js/server-crash | Server crash |
CWE‑691 | JavaScript | js/missing-rate-limiting | Missing rate limiting |
CWE‑691 | JavaScript | js/xml-bomb | XML internal entity expansion |
CWE‑691 | JavaScript | js/loop-bound-injection | Loop bound injection |
CWE‑691 | JavaScript | js/prototype-polluting-assignment | Prototype-polluting assignment |
CWE‑691 | JavaScript | js/prototype-pollution-utility | Prototype-polluting function |
CWE‑691 | JavaScript | js/prototype-pollution | Prototype-polluting merge call |
CWE‑691 | JavaScript | js/misleading-indentation-of-dangling-else | Misleading indentation of dangling 'else' |
CWE‑691 | JavaScript | js/inconsistent-loop-direction | Inconsistent direction of for loop |
CWE‑691 | JavaScript | js/misleading-indentation-after-control-statement | Misleading indentation after control statement |
CWE‑691 | JavaScript | js/actions/pull-request-target | Checkout of untrusted code in trusted context |
CWE‑691 | JavaScript | js/code-injection-more-sources | Code injection with additional heuristic sources |
CWE‑691 | JavaScript | js/xml-bomb-more-sources | XML internal entity expansion with additional heuristic sources |
CWE‑691 | JavaScript | js/prototype-polluting-assignment-more-sources | Prototype-polluting assignment with additional heuristic sources |
CWE‑691 | Python | py/catch-base-exception | Except block handles 'BaseException' |
CWE‑691 | Python | py/code-injection | Code injection |
CWE‑691 | Python | py/xml-bomb | XML internal entity expansion |
CWE‑691 | Python | py/asserts-tuple | Asserting a tuple |
CWE‑691 | Python | py/exit-from-finally | 'break' or 'return' statement in finally |
CWE‑691 | Python | py/unicode-bypass-validation | Bypass Logical Validation Using Unicode Characters |
CWE‑691 | Python | py/simple-xml-rpc-server-dos | SimpleXMLRPCServer denial of service |
CWE‑691 | Ruby | rb/unicode-bypass-validation | Bypass Logical Validation Using Unicode Characters |
CWE‑691 | Ruby | rb/server-side-template-injection | Server-side template injection |
CWE‑691 | Ruby | rb/code-injection | Code injection |
CWE‑691 | Ruby | rb/unsafe-code-construction | Unsafe code constructed from library input |
CWE‑691 | Ruby | rb/xxe | XML external entity expansion |
CWE‑691 | Swift | swift/unsafe-webview-fetch | Unsafe WebView fetch |
CWE‑691 | Swift | swift/unsafe-js-eval | JavaScript Injection |
CWE‑691 | Swift | swift/xxe | Resolving XML external entity in user-controlled data |
CWE‑693 | C++ | cpp/boost/tls-settings-misconfiguration | Boost_asio TLS Settings Misconfiguration |
CWE‑693 | C++ | cpp/boost/use-of-deprecated-hardcoded-security-protocol | boost::asio Use of deprecated hardcoded Protocol |
CWE‑693 | C++ | cpp/count-untrusted-data-external-api | Frequency counts for external APIs that are used with untrusted data |
CWE‑693 | C++ | cpp/count-untrusted-data-external-api-ir | Frequency counts for external APIs that are used with untrusted data |
CWE‑693 | C++ | cpp/untrusted-data-to-external-api-ir | Untrusted data passed to external API |
CWE‑693 | C++ | cpp/untrusted-data-to-external-api | Untrusted data passed to external API |
CWE‑693 | C++ | cpp/uncontrolled-process-operation | Uncontrolled process operation |
CWE‑693 | C++ | cpp/unclear-array-index-validation | Unclear validation of array index |
CWE‑693 | C++ | cpp/uncontrolled-allocation-size | Overflow in uncontrolled allocation size |
CWE‑693 | C++ | cpp/user-controlled-bypass | Authentication bypass by spoofing |
CWE‑693 | C++ | cpp/certificate-result-conflation | Certificate result conflation |
CWE‑693 | C++ | cpp/certificate-not-checked | Certificate not checked |
CWE‑693 | C++ | cpp/cleartext-storage-buffer | Cleartext storage of sensitive information in buffer |
CWE‑693 | C++ | cpp/cleartext-storage-file | Cleartext storage of sensitive information in file |
CWE‑693 | C++ | cpp/cleartext-transmission | Cleartext transmission of sensitive information |
CWE‑693 | C++ | cpp/cleartext-storage-database | Cleartext storage of sensitive information in an SQLite database |
CWE‑693 | C++ | cpp/non-https-url | Failure to use HTTPS URLs |
CWE‑693 | C++ | cpp/insufficient-key-size | Use of a cryptographic algorithm with insufficient key size |
CWE‑693 | C++ | cpp/weak-cryptographic-algorithm | Use of a broken or risky cryptographic algorithm |
CWE‑693 | C++ | cpp/openssl-heartbleed | Use of a version of OpenSSL with Heartbleed |
CWE‑693 | C++ | cpp/world-writable-file-creation | File created without restricting permissions |
CWE‑693 | C++ | cpp/open-call-with-mode-argument | File opened with O_CREAT flag but without mode argument |
CWE‑693 | C++ | cpp/unsafe-dacl-security-descriptor | Setting a DACL to NULL in a SECURITY_DESCRIPTOR |
CWE‑693 | C++ | cpp/tainted-permissions-check | Untrusted input for a condition |
CWE‑693 | C++ | cpp/late-check-of-function-argument | Late Check Of Function Argument |
CWE‑693 | C++ | cpp/linux-kernel-no-check-before-unsafe-put-user | Linux kernel no check before unsafe_put_user vulnerability detection |
CWE‑693 | C++ | cpp/wrong-use-of-the-umask | Find the wrong use of the umask function. |
CWE‑693 | C++ | cpp/drop-linux-privileges-outoforder | LinuxPrivilegeDroppingOutoforder |
CWE‑693 | C++ | cpp/pam-auth-bypass | PAM Authorization bypass |
CWE‑693 | C# | cs/empty-password-in-configuration | Empty password in configuration file |
CWE‑693 | C# | cs/password-in-configuration | Password in configuration file |
CWE‑693 | C# | cs/count-untrusted-data-external-api | Frequency counts for external APIs that are used with untrusted data |
CWE‑693 | C# | cs/serialization-check-bypass | Serialization check bypass |
CWE‑693 | C# | cs/untrusted-data-to-external-api | Untrusted data passed to external API |
CWE‑693 | C# | cs/xml/missing-validation | Missing XML validation |
CWE‑693 | C# | cs/assembly-path-injection | Assembly path injection |
CWE‑693 | C# | cs/web/missing-function-level-access-control | Missing function level access control |
CWE‑693 | C# | cs/cleartext-storage-of-sensitive-information | Clear text storage of sensitive information |
CWE‑693 | C# | cs/hard-coded-symmetric-encryption-key | Hard-coded symmetric encryption key |
CWE‑693 | C# | cs/adding-cert-to-root-store | Do not add certificates to the system root store. |
CWE‑693 | C# | cs/insecure-sql-connection | Insecure SQL connection |
CWE‑693 | C# | cs/web/missing-token-validation | Missing cross-site request forgery token validation |
CWE‑693 | C# | cs/session-reuse | Failure to abandon session |
CWE‑693 | C# | cs/web/requiressl-not-set | 'requireSSL' attribute is not set to true |
CWE‑693 | C# | cs/hardcoded-connection-string-credentials | Hard-coded connection string with credentials |
CWE‑693 | C# | cs/hardcoded-credentials | Hard-coded credentials |
CWE‑693 | C# | cs/user-controlled-bypass | User-controlled bypass of sensitive method |
CWE‑693 | C# | cs/web/broad-cookie-domain | Cookie security: overly broad domain |
CWE‑693 | C# | cs/web/broad-cookie-path | Cookie security: overly broad path |
CWE‑693 | C# | cs/ecb-encryption | Encryption using ECB |
CWE‑693 | C# | cs/inadequate-rsa-padding | Weak encryption: inadequate RSA padding |
CWE‑693 | C# | cs/insufficient-key-size | Weak encryption: Insufficient key size |
CWE‑693 | C# | cs/weak-encryption | Weak encryption |
CWE‑693 | C# | cs/azure-storage/unsafe-usage-of-client-side-encryption-version | Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-30187). |
CWE‑693 | C# | cs/web/cookie-secure-not-set | 'Secure' attribute is not set to true |
CWE‑693 | Go | go/count-untrusted-data-external-api | Frequency counts for external APIs that are used with untrusted data |
CWE‑693 | Go | go/incomplete-hostname-regexp | Incomplete regular expression for hostnames |
CWE‑693 | Go | go/incomplete-url-scheme-check | Incomplete URL scheme check |
CWE‑693 | Go | go/regex/missing-regexp-anchor | Missing regular expression anchor |
CWE‑693 | Go | go/suspicious-character-in-regex | Suspicious characters in a regular expression |
CWE‑693 | Go | go/untrusted-data-to-external-api | Untrusted data passed to external API |
CWE‑693 | Go | go/untrusted-data-to-unknown-external-api | Untrusted data passed to unknown external API |
CWE‑693 | Go | go/disabled-certificate-check | Disabled TLS certificate check |
CWE‑693 | Go | go/clear-text-logging | Clear-text logging of sensitive information |
CWE‑693 | Go | go/insecure-hostkeycallback | Use of insecure HostKeyCallback implementation |
CWE‑693 | Go | go/weak-crypto-key | Use of a weak cryptographic key |
CWE‑693 | Go | go/insecure-tls | Insecure TLS configuration |
CWE‑693 | Go | go/constant-oauth2-state | Use of constant state value in OAuth 2.0 URL |
CWE‑693 | Go | go/email-injection | Email content injection |
CWE‑693 | Go | go/hardcoded-credentials | Hard-coded credentials |
CWE‑693 | Go | go/pam-auth-bypass | PAM authorization bypass due to incorrect usage |
CWE‑693 | Go | go/hardcoded-key | Use of a hardcoded key for signing JWT |
CWE‑693 | Go | go/weak-crypto-algorithm | Use of a weak cryptographic algorithm |
CWE‑693 | Go | go/sensitive-condition-bypass | User-controlled bypassing of sensitive action |
CWE‑693 | Go | go/cors-misconfiguration | CORS misconfiguration |
CWE‑693 | Java | java/count-untrusted-data-external-api | Frequency counts for external APIs that are used with untrusted data |
CWE‑693 | Java | java/overly-large-range | Overly permissive regular expression range |
CWE‑693 | Java | java/untrusted-data-to-external-api | Untrusted data passed to external API |
CWE‑693 | Java | java/improper-validation-of-array-construction | Improper validation of user-provided size used for array construction |
CWE‑693 | Java | java/improper-validation-of-array-construction-code-specified | Improper validation of code-specified size used for array construction |
CWE‑693 | Java | java/improper-validation-of-array-construction-local | Improper validation of local user-provided size used for array construction |
CWE‑693 | Java | java/improper-validation-of-array-index | Improper validation of user-provided array index |
CWE‑693 | Java | java/improper-validation-of-array-index-code-specified | Improper validation of code-specified array index |
CWE‑693 | Java | java/improper-validation-of-array-index-local | Improper validation of local user-provided array index |
CWE‑693 | Java | java/local-temp-file-or-directory-information-disclosure | Local information disclosure in a temporary directory |
CWE‑693 | Java | java/android/intent-uri-permission-manipulation | Intent URI permission manipulation |
CWE‑693 | Java | java/unsafe-cert-trust | Unsafe certificate trust |
CWE‑693 | Java | java/android/missing-certificate-pinning | Android missing certificate pinning |
CWE‑693 | Java | java/improper-webview-certificate-validation | Android WebView that accepts all certificates |
CWE‑693 | Java | java/insecure-trustmanager | TrustManager that accepts all certificates |
CWE‑693 | Java | java/insecure-smtp-ssl | Insecure JavaMail SSL Configuration |
CWE‑693 | Java | java/unsafe-hostname-verification | Unsafe hostname verification |
CWE‑693 | Java | java/android/backup-enabled | Application backup allowed |
CWE‑693 | Java | java/android/cleartext-storage-database | Cleartext storage of sensitive information using a local database on Android |
CWE‑693 | Java | java/android/cleartext-storage-filesystem | Cleartext storage of sensitive information in the Android filesystem |
CWE‑693 | Java | java/cleartext-storage-in-class | Cleartext storage of sensitive information using storable class |
CWE‑693 | Java | java/cleartext-storage-in-cookie | Cleartext storage of sensitive information in cookie |
CWE‑693 | Java | java/cleartext-storage-in-properties | Cleartext storage of sensitive information using 'Properties' class |
CWE‑693 | Java | java/android/cleartext-storage-shared-prefs | Cleartext storage of sensitive information using SharedPreferences on Android |
CWE‑693 | Java | java/non-https-url | Failure to use HTTPS URLs |
CWE‑693 | Java | java/non-ssl-connection | Failure to use SSL |
CWE‑693 | Java | java/non-ssl-socket-factory | Failure to use SSL socket factories |
CWE‑693 | Java | java/insufficient-key-size | Use of a cryptographic algorithm with insufficient key size |
CWE‑693 | Java | java/weak-cryptographic-algorithm | Use of a broken or risky cryptographic algorithm |
CWE‑693 | Java | java/potentially-weak-cryptographic-algorithm | Use of a potentially broken or risky cryptographic algorithm |
CWE‑693 | Java | java/missing-jwt-signature-check | Missing JWT signature check |
CWE‑693 | Java | java/spring-disabled-csrf-protection | Disabled Spring CSRF protection |
CWE‑693 | Java | java/socket-auth-race-condition | Race condition in socket authentication |
CWE‑693 | Java | java/insecure-basic-auth | Insecure basic authentication |
CWE‑693 | Java | java/insecure-ldap-auth | Insecure LDAP authentication |
CWE‑693 | Java | java/insecure-cookie | Failure to use secure cookies |
CWE‑693 | Java | java/world-writable-file-read | Reading from a world writable file |
CWE‑693 | Java | java/rsa-without-oaep | Use of RSA algorithm without OAEP |
CWE‑693 | Java | java/hardcoded-credential-api-call | Hard-coded credential in API call |
CWE‑693 | Java | java/hardcoded-credential-comparison | Hard-coded credential comparison |
CWE‑693 | Java | java/hardcoded-credential-sensitive-call | Hard-coded credential in sensitive call |
CWE‑693 | Java | java/hardcoded-password-field | Hard-coded password field |
CWE‑693 | Java | java/user-controlled-bypass | User-controlled bypass of sensitive method |
CWE‑693 | Java | java/tainted-permissions-check | User-controlled data used in permissions check |
CWE‑693 | Java | java/maven/non-https-url | Failure to use HTTPS or SFTP URL in Maven artifact upload/download |
CWE‑693 | Java | java/improper-intent-verification | Improper verification of intent by broadcast receiver |
CWE‑693 | Java | java/android/incomplete-provider-permissions | Missing read or write permission in a content provider |
CWE‑693 | Java | java/android/implicitly-exported-component | Implicitly exported Android component |
CWE‑693 | Java | java/android/implicit-pendingintents | Use of implicit PendingIntents |
CWE‑693 | Java | java/android/sensitive-communication | Leaking sensitive information through an implicit Intent |
CWE‑693 | Java | java/android/sensitive-result-receiver | Leaking sensitive information through a ResultReceiver |
CWE‑693 | Java | java/android/intent-redirection | Android Intent redirection |
CWE‑693 | Java | java/log4j-injection | Potential Log4J LDAP JNDI injection (CVE-2021-44228) |
CWE‑693 | Java | java/jxbrowser/disabled-certificate-validation | JxBrowser with disabled certificate validation |
CWE‑693 | Java | java/ignored-hostname-verification | Ignored result of hostname verification |
CWE‑693 | Java | java/insecure-ldaps-endpoint | Insecure LDAPS Endpoint Configuration |
CWE‑693 | Java | java/disabled-certificate-revocation-checking | Disabled certificate revocation checking |
CWE‑693 | Java | java/azure-storage/unsafe-client-side-encryption-in-use | Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-30187). |
CWE‑693 | Java | java/unsafe-tls-version | Unsafe TLS version |
CWE‑693 | Java | java/unvalidated-cors-origin-set | CORS is derived from untrusted input |
CWE‑693 | Java | java/ip-address-spoofing | IP address spoofing |
CWE‑693 | Java | java/jsonp-injection | JSONP Injection |
CWE‑693 | Java | java/credentials-in-properties | Cleartext Credentials in Properties File |
CWE‑693 | Java | java/password-in-configuration | Password in configuration file |
CWE‑693 | Java | java/hash-without-salt | Use of a hash function without a salt |
CWE‑693 | Java | java/incorrect-url-verification | Incorrect URL verification |
CWE‑693 | JavaScript | js/angular/insecure-url-whitelist | Insecure URL whitelist |
CWE‑693 | JavaScript | js/count-untrusted-data-external-api | Frequency counts for external APIs that are used with untrusted data |
CWE‑693 | JavaScript | js/incomplete-hostname-regexp | Incomplete regular expression for hostnames |
CWE‑693 | JavaScript | js/incomplete-url-scheme-check | Incomplete URL scheme check |
CWE‑693 | JavaScript | js/incomplete-url-substring-sanitization | Incomplete URL substring sanitization |
CWE‑693 | JavaScript | js/incorrect-suffix-check | Incorrect suffix check |
CWE‑693 | JavaScript | js/missing-origin-check | Missing origin verification in postMessage handler |
CWE‑693 | JavaScript | js/regex/missing-regexp-anchor | Missing regular expression anchor |
CWE‑693 | JavaScript | js/overly-large-range | Overly permissive regular expression range |
CWE‑693 | JavaScript | js/untrusted-data-to-external-api | Untrusted data passed to external API |
CWE‑693 | JavaScript | js/useless-regexp-character-escape | Useless regular-expression character escape |
CWE‑693 | JavaScript | js/bad-tag-filter | Bad HTML filtering regexp |
CWE‑693 | JavaScript | js/double-escaping | Double escaping or unescaping |
CWE‑693 | JavaScript | js/incomplete-html-attribute-sanitization | Incomplete HTML attribute sanitization |
CWE‑693 | JavaScript | js/incomplete-multi-character-sanitization | Incomplete multi-character sanitization |
CWE‑693 | JavaScript | js/incomplete-sanitization | Incomplete string escaping or encoding |
CWE‑693 | JavaScript | js/exposure-of-private-files | Exposure of private files |
CWE‑693 | JavaScript | js/disabling-certificate-validation | Disabling certificate validation |
CWE‑693 | JavaScript | js/insecure-dependency | Dependency download using unencrypted communication channel |
CWE‑693 | JavaScript | js/build-artifact-leak | Storage of sensitive information in build artifact |
CWE‑693 | JavaScript | js/clear-text-logging | Clear-text logging of sensitive information |
CWE‑693 | JavaScript | js/clear-text-storage-of-sensitive-data | Clear text storage of sensitive information |
CWE‑693 | JavaScript | js/password-in-configuration-file | Password in configuration file |
CWE‑693 | JavaScript | js/insufficient-key-size | Use of a weak cryptographic key |
CWE‑693 | JavaScript | js/biased-cryptographic-random | Creating biased random numbers from a cryptographically secure source. |
CWE‑693 | JavaScript | js/weak-cryptographic-algorithm | Use of a broken or weak cryptographic algorithm |
CWE‑693 | JavaScript | js/cors-misconfiguration-for-credentials | CORS misconfiguration for credentials transfer |
CWE‑693 | JavaScript | js/jwt-missing-verification | JWT missing secret or public key verification |
CWE‑693 | JavaScript | js/missing-token-validation | Missing CSRF middleware |
CWE‑693 | JavaScript | js/session-fixation | Failure to abandon session |
CWE‑693 | JavaScript | js/remote-property-injection | Remote property injection |
CWE‑693 | JavaScript | js/clear-text-cookie | Clear text transmission of sensitive cookie |
CWE‑693 | JavaScript | js/host-header-forgery-in-email-generation | Host header poisoning in email generation |
CWE‑693 | JavaScript | js/missing-rate-limiting | Missing rate limiting |
CWE‑693 | JavaScript | js/hardcoded-credentials | Hard-coded credentials |
CWE‑693 | JavaScript | js/user-controlled-bypass | User-controlled bypass of security check |
CWE‑693 | JavaScript | js/different-kinds-comparison-bypass | Comparison of user-controlled data of different kinds |
CWE‑693 | JavaScript | js/empty-password-in-configuration-file | Empty password in configuration file |
CWE‑693 | JavaScript | js/insufficient-password-hash | Use of password hash with insufficient computational effort |
CWE‑693 | JavaScript | js/untrusted-data-to-external-api-more-sources | Untrusted data passed to external API with additional heuristic sources |
CWE‑693 | JavaScript | js/cors-misconfiguration-for-credentials-more-sources | CORS misconfiguration for credentials transfer with additional heuristic sources |
CWE‑693 | JavaScript | js/remote-property-injection-more-sources | Remote property injection with additional heuristic sources |
CWE‑693 | JavaScript | js/user-controlled-bypass-more-sources | User-controlled bypass of security check with additional heuristic sources |
CWE‑693 | Python | py/count-untrusted-data-external-api | Frequency counts for external APIs that are used with untrusted data |
CWE‑693 | Python | py/untrusted-data-to-external-api | Untrusted data passed to external API |
CWE‑693 | Python | py/incomplete-hostname-regexp | Incomplete regular expression for hostnames |
CWE‑693 | Python | py/incomplete-url-substring-sanitization | Incomplete URL substring sanitization |
CWE‑693 | Python | py/overly-large-range | Overly permissive regular expression range |
CWE‑693 | Python | py/bad-tag-filter | Bad HTML filtering regexp |
CWE‑693 | Python | py/pam-auth-bypass | PAM authorization bypass due to incorrect usage |
CWE‑693 | Python | py/paramiko-missing-host-key-validation | Accepting unknown SSH host keys when using Paramiko |
CWE‑693 | Python | py/request-without-cert-validation | Request without certificate validation |
CWE‑693 | Python | py/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑693 | Python | py/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑693 | Python | py/weak-crypto-key | Use of weak cryptographic key |
CWE‑693 | Python | py/weak-cryptographic-algorithm | Use of a broken or weak cryptographic algorithm |
CWE‑693 | Python | py/insecure-default-protocol | Default version of SSL/TLS may be insecure |
CWE‑693 | Python | py/insecure-protocol | Use of insecure SSL/TLS version |
CWE‑693 | Python | py/weak-sensitive-data-hashing | Use of a broken or weak cryptographic hashing algorithm on sensitive data |
CWE‑693 | Python | py/csrf-protection-disabled | CSRF protection weakened or disabled |
CWE‑693 | Python | py/overly-permissive-file | Overly permissive file permissions |
CWE‑693 | Python | py/hardcoded-credentials | Hard-coded credentials |
CWE‑693 | Python | py/unicode-bypass-validation | Bypass Logical Validation Using Unicode Characters |
CWE‑693 | Python | py/flask-constant-secret-key | Initializing SECRET_KEY of Flask application with Constant value |
CWE‑693 | Python | py/improper-ldap-auth | Improper LDAP Authentication |
CWE‑693 | Python | py/azure-storage/unsafe-client-side-encryption-in-use | Unsafe usage of v1 version of Azure Storage client-side encryption. |
CWE‑693 | Python | py/jwt-missing-verification | JWT missing secret or public key verification |
CWE‑693 | Python | py/ip-address-spoofing | IP address spoofing |
CWE‑693 | Python | py/insecure-ldap-auth | Python Insecure LDAP Authentication |
CWE‑693 | Python | py/cookie-injection | Construction of a cookie using user-supplied input. |
CWE‑693 | Python | py/insecure-cookie | Failure to use secure cookies |
CWE‑693 | Ruby | rb/unicode-bypass-validation | Bypass Logical Validation Using Unicode Characters |
CWE‑693 | Ruby | rb/user-controlled-bypass | User-controlled bypass of security check |
CWE‑693 | Ruby | rb/improper-ldap-auth | Improper LDAP Authentication |
CWE‑693 | Ruby | rb/incomplete-hostname-regexp | Incomplete regular expression for hostnames |
CWE‑693 | Ruby | rb/incomplete-url-substring-sanitization | Incomplete URL substring sanitization |
CWE‑693 | Ruby | rb/regex/badly-anchored-regexp | Badly anchored regular expression |
CWE‑693 | Ruby | rb/regex/missing-regexp-anchor | Missing regular expression anchor |
CWE‑693 | Ruby | rb/overly-large-range | Overly permissive regular expression range |
CWE‑693 | Ruby | rb/bad-tag-filter | Bad HTML filtering regexp |
CWE‑693 | Ruby | rb/incomplete-multi-character-sanitization | Incomplete multi-character sanitization |
CWE‑693 | Ruby | rb/incomplete-sanitization | Incomplete string escaping or encoding |
CWE‑693 | Ruby | rb/request-without-cert-validation | Request without certificate validation |
CWE‑693 | Ruby | rb/insecure-dependency | Dependency download using unencrypted communication channel |
CWE‑693 | Ruby | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑693 | Ruby | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑693 | Ruby | rb/weak-cryptographic-algorithm | Use of a broken or weak cryptographic algorithm |
CWE‑693 | Ruby | rb/csrf-protection-disabled | CSRF protection weakened or disabled |
CWE‑693 | Ruby | rb/weak-cookie-configuration | Weak cookie configuration |
CWE‑693 | Ruby | rb/overly-permissive-file | Overly permissive file permissions |
CWE‑693 | Ruby | rb/hardcoded-credentials | Hard-coded credentials |
CWE‑693 | Swift | swift/incomplete-hostname-regexp | Incomplete regular expression for hostnames |
CWE‑693 | Swift | swift/bad-tag-filter | Bad HTML filtering regexp |
CWE‑693 | Swift | swift/constant-password | Constant password |
CWE‑693 | Swift | swift/cleartext-storage-database | Cleartext storage of sensitive information in a local database |
CWE‑693 | Swift | swift/cleartext-transmission | Cleartext transmission of sensitive information |
CWE‑693 | Swift | swift/cleartext-logging | Cleartext logging of sensitive information |
CWE‑693 | Swift | swift/cleartext-storage-preferences | Cleartext storage of sensitive information in an application preference store |
CWE‑693 | Swift | swift/hardcoded-key | Hard-coded encryption key |
CWE‑693 | Swift | swift/ecb-encryption | Encryption using ECB |
CWE‑693 | Swift | swift/weak-sensitive-data-hashing | Use of a broken or weak cryptographic hashing algorithm on sensitive data |
CWE‑693 | Swift | swift/insecure-tls | Insecure TLS configuration |
CWE‑693 | Swift | swift/constant-salt | Use of constant salts |
CWE‑693 | Swift | swift/insufficient-hash-iterations | Insufficient hash iterations |
CWE‑695 | Java | java/ejb/file-io | EJB uses file input/output |
CWE‑695 | Java | java/ejb/graphics | EJB uses graphics |
CWE‑695 | Java | java/ejb/synchronization | EJB uses synchronization |
CWE‑695 | Java | java/ejb/threads | EJB uses threads |
CWE‑696 | Python | py/unicode-bypass-validation | Bypass Logical Validation Using Unicode Characters |
CWE‑696 | Ruby | rb/unicode-bypass-validation | Bypass Logical Validation Using Unicode Characters |
CWE‑697 | C++ | cpp/missing-case-in-switch | Missing enum case in switch |
CWE‑697 | C++ | cpp/operator-find-incorrectly-used-switch | Incorrect switch statement |
CWE‑697 | C# | cs/class-name-comparison | Erroneous class compare |
CWE‑697 | C# | cs/reference-equality-with-object | Reference equality test on System.Object |
CWE‑697 | C# | cs/reference-equality-on-valuetypes | Call to ReferenceEquals(...) on value type expressions |
CWE‑697 | Go | go/cors-misconfiguration | CORS misconfiguration |
CWE‑697 | Java | java/missing-default-in-switch | Missing default case in switch |
CWE‑697 | Java | java/reference-equality-with-object | Reference equality test on java.lang.Object |
CWE‑697 | Java | java/reference-equality-of-boxed-types | Reference equality test of boxed types |
CWE‑697 | Java | java/reference-equality-on-strings | Reference equality test on strings |
CWE‑697 | Java | java/missing-case-in-switch | Missing enum case in switch |
CWE‑697 | JavaScript | js/angular/insecure-url-whitelist | Insecure URL whitelist |
CWE‑697 | JavaScript | js/incomplete-url-scheme-check | Incomplete URL scheme check |
CWE‑697 | JavaScript | js/bad-tag-filter | Bad HTML filtering regexp |
CWE‑697 | JavaScript | js/cors-misconfiguration-for-credentials | CORS misconfiguration for credentials transfer |
CWE‑697 | JavaScript | js/cors-misconfiguration-for-credentials-more-sources | CORS misconfiguration for credentials transfer with additional heuristic sources |
CWE‑697 | Python | py/bad-tag-filter | Bad HTML filtering regexp |
CWE‑697 | Ruby | rb/bad-tag-filter | Bad HTML filtering regexp |
CWE‑697 | Swift | swift/bad-tag-filter | Bad HTML filtering regexp |
CWE‑703 | C++ | cpp/missing-check-scanf | Missing return-value check for a 'scanf'-like function |
CWE‑703 | C++ | cpp/return-value-ignored | Return value of a function is ignored |
CWE‑703 | C++ | cpp/overflowing-snprintf | Potentially overflowing call to snprintf |
CWE‑703 | C++ | cpp/wrong-number-format-arguments | Too few arguments to formatting function |
CWE‑703 | C++ | cpp/inconsistent-call-on-result | Inconsistent operation on return value |
CWE‑703 | C++ | cpp/too-few-arguments | Call to function with fewer arguments than declared parameters |
CWE‑703 | C++ | cpp/ignore-return-value-sal | SAL requires inspecting return value |
CWE‑703 | C++ | cpp/hresult-boolean-conversion | Cast between HRESULT and a Boolean type |
CWE‑703 | C++ | cpp/incorrect-allocation-error-handling | Incorrect allocation-error handling |
CWE‑703 | C++ | cpp/work-with-changing-working-directories | Find work with changing working directories, with security errors. |
CWE‑703 | C++ | cpp/drop-linux-privileges-outoforder | LinuxPrivilegeDroppingOutoforder |
CWE‑703 | C++ | cpp/operator-find-incorrectly-used-exceptions | Operator Find Incorrectly Used Exceptions |
CWE‑703 | C++ | cpp/improper-check-return-value-scanf | Improper check of return value of scanf |
CWE‑703 | C# | cs/dispose-not-called-on-throw | Dispose may not be called if an exception is thrown during execution |
CWE‑703 | C# | cs/local-not-disposed | Missing Dispose call on local IDisposable |
CWE‑703 | C# | cs/unchecked-return-value | Unchecked return value |
CWE‑703 | C# | cs/catch-nullreferenceexception | Poor error handling: catch of NullReferenceException |
CWE‑703 | C# | cs/empty-catch-block | Poor error handling: empty catch block |
CWE‑703 | C# | cs/catch-of-all-exceptions | Generic catch clause |
CWE‑703 | C# | cs/information-exposure-through-exception | Information exposure through an exception |
CWE‑703 | C# | cs/web/missing-global-error-handler | Missing global error handler |
CWE‑703 | Go | go/stack-trace-exposure | Information exposure through a stack trace |
CWE‑703 | Java | java/inconsistent-call-on-result | Inconsistent operation on return value |
CWE‑703 | Java | java/return-value-ignored | Method result ignored |
CWE‑703 | Java | java/stack-trace-exposure | Information exposure through a stack trace |
CWE‑703 | Java | java/unsafe-cert-trust | Unsafe certificate trust |
CWE‑703 | Java | java/discarded-exception | Discarded exception |
CWE‑703 | Java | java/overly-general-catch | Overly-general catch clause |
CWE‑703 | Java | java/ignored-error-status-of-call | Ignored error status of call |
CWE‑703 | Java | java/uncaught-number-format-exception | Missing catch of NumberFormatException |
CWE‑703 | Java | java/uncaught-servlet-exception | Uncaught Servlet Exception |
CWE‑703 | Java | java/android/nfe-local-android-dos | Local Android DoS Caused By NumberFormatException |
CWE‑703 | JavaScript | js/stack-trace-exposure | Information exposure through a stack trace |
CWE‑703 | JavaScript | js/server-crash | Server crash |
CWE‑703 | JavaScript | js/unvalidated-dynamic-method-call | Unvalidated dynamic method call |
CWE‑703 | Python | py/catch-base-exception | Except block handles 'BaseException' |
CWE‑703 | Python | py/empty-except | Empty except |
CWE‑703 | Python | py/ignored-return-value | Ignored return value |
CWE‑703 | Python | py/stack-trace-exposure | Information exposure through an exception |
CWE‑703 | Ruby | rb/stack-trace-exposure | Information exposure through an exception |
CWE‑704 | C++ | cpp/bad-addition-overflow-check | Bad check for overflow of integer addition |
CWE‑704 | C++ | cpp/integer-multiplication-cast-to-long | Multiplication result converted to larger type |
CWE‑704 | C++ | cpp/upcast-array-pointer-arithmetic | Upcast array used in pointer arithmetic |
CWE‑704 | C++ | cpp/comparison-with-wider-type | Comparison of narrow type with wide type in loop condition |
CWE‑704 | C++ | cpp/integer-overflow-tainted | Potential integer arithmetic overflow |
CWE‑704 | C++ | cpp/incorrect-string-type-conversion | Cast from char to wchar_t |
CWE‑704 | C# | cs/loss-of-precision | Possible loss of precision |
CWE‑704 | Go | go/shift-out-of-range | Shift out of range |
CWE‑704 | Go | go/incorrect-integer-conversion | Incorrect conversion between integer types |
CWE‑704 | Java | java/implicit-cast-in-compound-assignment | Implicit narrowing conversion in compound assignment |
CWE‑704 | Java | java/integer-multiplication-cast-to-long | Result of multiplication cast to wider type |
CWE‑704 | Java | java/impossible-array-cast | Impossible array cast |
CWE‑704 | Java | java/comparison-with-wider-type | Comparison of narrow type with wide type in loop condition |
CWE‑704 | Java | java/tainted-numeric-cast | User-controlled data in numeric cast |
CWE‑704 | Java | java/tainted-numeric-cast-local | Local-user-controlled data in numeric cast |
CWE‑704 | JavaScript | js/implicit-operand-conversion | Implicit operand conversion |
CWE‑704 | JavaScript | js/shift-out-of-range | Shift out of range |
CWE‑704 | JavaScript | js/invalid-prototype-value | Invalid prototype value |
CWE‑704 | JavaScript | js/property-assignment-on-primitive | Assignment to property of primitive value |
CWE‑704 | JavaScript | js/type-confusion-through-parameter-tampering | Type confusion through parameter tampering |
CWE‑705 | C++ | cpp/operator-find-incorrectly-used-exceptions | Operator Find Incorrectly Used Exceptions |
CWE‑705 | C# | cs/catch-nullreferenceexception | Poor error handling: catch of NullReferenceException |
CWE‑705 | C# | cs/catch-of-all-exceptions | Generic catch clause |
CWE‑705 | C# | cs/web/missing-global-error-handler | Missing global error handler |
CWE‑705 | Java | java/ejb/container-interference | EJB interferes with container operation |
CWE‑705 | Java | java/overly-general-catch | Overly-general catch clause |
CWE‑705 | Java | java/uncaught-number-format-exception | Missing catch of NumberFormatException |
CWE‑705 | Java | java/jvm-exit | Forcible JVM termination |
CWE‑705 | Java | java/abnormal-finally-completion | Finally block may not complete normally |
CWE‑705 | Java | java/uncaught-servlet-exception | Uncaught Servlet Exception |
CWE‑705 | JavaScript | js/exit-from-finally | Jump from finally |
CWE‑705 | JavaScript | js/server-crash | Server crash |
CWE‑705 | Python | py/catch-base-exception | Except block handles 'BaseException' |
CWE‑705 | Python | py/exit-from-finally | 'break' or 'return' statement in finally |
CWE‑706 | C++ | cpp/path-injection | Uncontrolled data used in path expression |
CWE‑706 | C# | cs/path-injection | Uncontrolled data used in path expression |
CWE‑706 | C# | cs/zipslip | Arbitrary file access during archive extraction ("Zip Slip") |
CWE‑706 | C# | cs/xml/insecure-dtd-handling | Untrusted XML is read insecurely |
CWE‑706 | C# | cs/insecure-xml-read | XML is read insecurely |
CWE‑706 | C# | cs/webclient-path-injection | Uncontrolled data used in a WebClient |
CWE‑706 | Go | go/path-injection | Uncontrolled data used in path expression |
CWE‑706 | Go | go/unsafe-unzip-symlink | Arbitrary file write extracting an archive containing symbolic links |
CWE‑706 | Go | go/zipslip | Arbitrary file access during archive extraction ("Zip Slip") |
CWE‑706 | Java | java/path-injection | Uncontrolled data used in path expression |
CWE‑706 | Java | java/path-injection-local | Local-user-controlled data in path expression |
CWE‑706 | Java | java/zipslip | Arbitrary file access during archive extraction ("Zip Slip") |
CWE‑706 | Java | java/partial-path-traversal | Partial path traversal vulnerability |
CWE‑706 | Java | java/partial-path-traversal-from-remote | Partial path traversal vulnerability from remote |
CWE‑706 | Java | java/xxe | Resolving XML external entity in user-controlled data |
CWE‑706 | Java | java/xxe-local | Resolving XML external entity in user-controlled data from local source |
CWE‑706 | Java | java/openstream-called-on-tainted-url | openStream called on URLs created from remote source |
CWE‑706 | JavaScript | js/path-injection | Uncontrolled data used in path expression |
CWE‑706 | JavaScript | js/zipslip | Arbitrary file access during archive extraction ("Zip Slip") |
CWE‑706 | JavaScript | js/case-sensitive-middleware-path | Case-sensitive middleware path |
CWE‑706 | JavaScript | js/xxe | XML external entity expansion |
CWE‑706 | JavaScript | js/xxe-more-sources | XML external entity expansion with additional heuristic sources |
CWE‑706 | Python | py/path-injection | Uncontrolled data used in path expression |
CWE‑706 | Python | py/tarslip | Arbitrary file write during tarfile extraction |
CWE‑706 | Python | py/xxe | XML external entity expansion |
CWE‑706 | Python | py/zipslip | Arbitrary file access during archive extraction ("Zip Slip") |
CWE‑706 | Python | py/tarslip-extended | Arbitrary file write during tarfile extraction |
CWE‑706 | Python | py/unsafe-unpacking | Arbitrary file write during a tarball extraction from a user controlled source |
CWE‑706 | Ruby | rb/zip-slip | Arbitrary file access during archive extraction ("Zip Slip") |
CWE‑706 | Ruby | rb/path-injection | Uncontrolled data used in path expression |
CWE‑706 | Ruby | rb/xxe | XML external entity expansion |
CWE‑706 | Swift | swift/path-injection | Uncontrolled data used in path expression |
CWE‑706 | Swift | swift/xxe | Resolving XML external entity in user-controlled data |
CWE‑707 | C++ | cpp/non-constant-format | Non-constant format string |
CWE‑707 | C++ | cpp/wrong-number-format-arguments | Too few arguments to formatting function |
CWE‑707 | C++ | cpp/improper-null-termination | Potential improper null termination |
CWE‑707 | C++ | cpp/too-few-arguments | Call to function with fewer arguments than declared parameters |
CWE‑707 | C++ | cpp/command-line-injection | Uncontrolled data used in OS command |
CWE‑707 | C++ | cpp/cgi-xss | CGI script vulnerable to cross-site scripting |
CWE‑707 | C++ | cpp/sql-injection | Uncontrolled data in SQL query |
CWE‑707 | C++ | cpp/tainted-format-string | Uncontrolled format string |
CWE‑707 | C++ | cpp/tainted-format-string-through-global | Uncontrolled format string (through global variable) |
CWE‑707 | C++ | cpp/user-controlled-null-termination-tainted | User-controlled data may not be null terminated |
CWE‑707 | C++ | cpp/wordexp-injection | Uncontrolled data used in wordexp command |
CWE‑707 | C# | cs/path-injection | Uncontrolled data used in path expression |
CWE‑707 | C# | cs/command-line-injection | Uncontrolled command line |
CWE‑707 | C# | cs/stored-command-line-injection | Uncontrolled command line from stored user input |
CWE‑707 | C# | cs/web/stored-xss | Stored cross-site scripting |
CWE‑707 | C# | cs/web/xss | Cross-site scripting |
CWE‑707 | C# | cs/second-order-sql-injection | SQL query built from stored user-controlled sources |
CWE‑707 | C# | cs/sql-injection | SQL query built from user-controlled sources |
CWE‑707 | C# | cs/ldap-injection | LDAP query built from user-controlled sources |
CWE‑707 | C# | cs/stored-ldap-injection | LDAP query built from stored user-controlled sources |
CWE‑707 | C# | cs/xml-injection | XML injection |
CWE‑707 | C# | cs/code-injection | Improper control of generation of code |
CWE‑707 | C# | cs/resource-injection | Resource injection |
CWE‑707 | C# | cs/log-forging | Log entries created from user input |
CWE‑707 | C# | cs/uncontrolled-format-string | Uncontrolled format string |
CWE‑707 | C# | cs/xml/stored-xpath-injection | Stored XPath injection |
CWE‑707 | C# | cs/xml/xpath-injection | XPath injection |
CWE‑707 | C# | cs/inappropriate-encoding | Inappropriate encoding |
CWE‑707 | C# | cs/web/disabled-header-checking | Header checking disabled |
CWE‑707 | C# | cs/webclient-path-injection | Uncontrolled data used in a WebClient |
CWE‑707 | Go | go/path-injection | Uncontrolled data used in path expression |
CWE‑707 | Go | go/command-injection | Command built from user-controlled sources |
CWE‑707 | Go | go/stored-command | Command built from stored data |
CWE‑707 | Go | go/reflected-xss | Reflected cross-site scripting |
CWE‑707 | Go | go/stored-xss | Stored cross-site scripting |
CWE‑707 | Go | go/sql-injection | Database query built from user-controlled sources |
CWE‑707 | Go | go/unsafe-quoting | Potentially unsafe quoting |
CWE‑707 | Go | go/log-injection | Log entries created from user input |
CWE‑707 | Go | go/xml/xpath-injection | XPath injection |
CWE‑707 | Go | go/ldap-injection | LDAP query built from user-controlled sources |
CWE‑707 | Go | go/dsn-injection | SQL Data-source URI built from user-controlled sources |
CWE‑707 | Go | go/dsn-injection-local | SQL Data-source URI built from local user-controlled sources |
CWE‑707 | Go | go/html-template-escaping-passthrough | HTML template escaping passthrough |
CWE‑707 | Java | java/jndi-injection | JNDI lookup with user-controlled name |
CWE‑707 | Java | java/xslt-injection | XSLT transformation with user-controlled stylesheet |
CWE‑707 | Java | java/relative-path-command | Executing a command with a relative path |
CWE‑707 | Java | java/command-line-injection | Uncontrolled command line |
CWE‑707 | Java | java/command-line-injection-local | Local-user-controlled command line |
CWE‑707 | Java | java/concatenated-command-line | Building a command line with string concatenation |
CWE‑707 | Java | java/android/webview-addjavascriptinterface | Access Java object methods through JavaScript exposure |
CWE‑707 | Java | java/android/websettings-javascript-enabled | Android WebView JavaScript settings |
CWE‑707 | Java | java/xss | Cross-site scripting |
CWE‑707 | Java | java/xss-local | Cross-site scripting from local source |
CWE‑707 | Java | java/concatenated-sql-query | Query built by concatenation with a possibly-untrusted string |
CWE‑707 | Java | java/sql-injection | Query built from user-controlled sources |
CWE‑707 | Java | java/sql-injection-local | Query built from local-user-controlled sources |
CWE‑707 | Java | java/ldap-injection | LDAP query built from user-controlled sources |
CWE‑707 | Java | java/android/arbitrary-apk-installation | Android APK installation |
CWE‑707 | Java | java/groovy-injection | Groovy Language injection |
CWE‑707 | Java | java/insecure-bean-validation | Insecure Bean Validation |
CWE‑707 | Java | java/jexl-expression-injection | Expression language injection (JEXL) |
CWE‑707 | Java | java/mvel-expression-injection | Expression language injection (MVEL) |
CWE‑707 | Java | java/spel-expression-injection | Expression language injection (Spring) |
CWE‑707 | Java | java/server-side-template-injection | Server-side template injection |
CWE‑707 | Java | java/netty-http-request-or-response-splitting | Disabled Netty HTTP header validation |
CWE‑707 | Java | java/http-response-splitting | HTTP response splitting |
CWE‑707 | Java | java/http-response-splitting-local | HTTP response splitting from local source |
CWE‑707 | Java | java/log-injection | Log Injection |
CWE‑707 | Java | java/tainted-format-string | Use of externally-controlled format string |
CWE‑707 | Java | java/tainted-format-string-local | Use of externally-controlled format string from local source |
CWE‑707 | Java | java/xml/xpath-injection | XPath injection |
CWE‑707 | Java | java/android/unsafe-android-webview-fetch | Unsafe resource fetching in Android WebView |
CWE‑707 | Java | java/ognl-injection | OGNL Expression Language statement with user-controlled input |
CWE‑707 | Java | java/log4j-injection | Potential Log4J LDAP JNDI injection (CVE-2021-44228) |
CWE‑707 | Java | java/command-line-injection-extra | Command Injection into Runtime.exec() with dangerous command |
CWE‑707 | Java | java/command-line-injection-extra-local | Command Injection into Runtime.exec() with dangerous command |
CWE‑707 | Java | java/command-line-injection-experimental | Uncontrolled command line (experimental sinks) |
CWE‑707 | Java | java/mybatis-annotation-sql-injection | SQL injection in MyBatis annotation |
CWE‑707 | Java | java/mybatis-xml-sql-injection | SQL injection in MyBatis Mapper XML |
CWE‑707 | Java | java/beanshell-injection | BeanShell injection |
CWE‑707 | Java | java/android-insecure-dex-loading | Insecure loading of an Android Dex File |
CWE‑707 | Java | java/jshell-injection | JShell injection |
CWE‑707 | Java | java/javaee-expression-injection | Jakarta Expression Language injection |
CWE‑707 | Java | java/jython-injection | Injection in Jython |
CWE‑707 | Java | java/unsafe-eval | Injection in Java Script Engine |
CWE‑707 | Java | java/spring-view-manipulation-implicit | Spring Implicit View Manipulation |
CWE‑707 | Java | java/spring-view-manipulation | Spring View Manipulation |
CWE‑707 | Java | java/xquery-injection | XQuery query built from user-controlled sources |
CWE‑707 | JavaScript | js/angular/disabling-sce | Disabling SCE |
CWE‑707 | JavaScript | js/disabling-electron-websecurity | Disabling Electron webSecurity |
CWE‑707 | JavaScript | js/enabling-electron-renderer-node-integration | Enabling Node.js integration for Electron web content renderers |
CWE‑707 | JavaScript | js/identity-replacement | Replacement of a substring with itself |
CWE‑707 | JavaScript | js/path-injection | Uncontrolled data used in path expression |
CWE‑707 | JavaScript | js/template-object-injection | Template Object Injection |
CWE‑707 | JavaScript | js/command-line-injection | Uncontrolled command line |
CWE‑707 | JavaScript | js/indirect-command-line-injection | Indirect uncontrolled command line |
CWE‑707 | JavaScript | js/second-order-command-line-injection | Second order command injection |
CWE‑707 | JavaScript | js/shell-command-injection-from-environment | Shell command built from environment values |
CWE‑707 | JavaScript | js/shell-command-constructed-from-input | Unsafe shell command constructed from library input |
CWE‑707 | JavaScript | js/unnecessary-use-of-cat | Unnecessary use of cat process |
CWE‑707 | JavaScript | js/xss-through-exception | Exception text reinterpreted as HTML |
CWE‑707 | JavaScript | js/reflected-xss | Reflected cross-site scripting |
CWE‑707 | JavaScript | js/stored-xss | Stored cross-site scripting |
CWE‑707 | JavaScript | js/html-constructed-from-input | Unsafe HTML constructed from library input |
CWE‑707 | JavaScript | js/unsafe-jquery-plugin | Unsafe jQuery plugin |
CWE‑707 | JavaScript | js/xss | Client-side cross-site scripting |
CWE‑707 | JavaScript | js/xss-through-dom | DOM text reinterpreted as HTML |
CWE‑707 | JavaScript | js/sql-injection | Database query built from user-controlled sources |
CWE‑707 | JavaScript | js/code-injection | Code injection |
CWE‑707 | JavaScript | js/actions/command-injection | Expression injection in Actions |
CWE‑707 | JavaScript | js/bad-code-sanitization | Improper code sanitization |
CWE‑707 | JavaScript | js/unsafe-code-construction | Unsafe code constructed from library input |
CWE‑707 | JavaScript | js/unsafe-dynamic-method-access | Unsafe dynamic method access |
CWE‑707 | JavaScript | js/bad-tag-filter | Bad HTML filtering regexp |
CWE‑707 | JavaScript | js/double-escaping | Double escaping or unescaping |
CWE‑707 | JavaScript | js/incomplete-html-attribute-sanitization | Incomplete HTML attribute sanitization |
CWE‑707 | JavaScript | js/incomplete-multi-character-sanitization | Incomplete multi-character sanitization |
CWE‑707 | JavaScript | js/incomplete-sanitization | Incomplete string escaping or encoding |
CWE‑707 | JavaScript | js/unsafe-html-expansion | Unsafe expansion of self-closing HTML tag |
CWE‑707 | JavaScript | js/log-injection | Log injection |
CWE‑707 | JavaScript | js/tainted-format-string | Use of externally-controlled format string |
CWE‑707 | JavaScript | js/client-side-unvalidated-url-redirection | Client-side URL redirect |
CWE‑707 | JavaScript | js/xpath-injection | XPath injection |
CWE‑707 | JavaScript | js/prototype-polluting-assignment | Prototype-polluting assignment |
CWE‑707 | JavaScript | js/prototype-pollution-utility | Prototype-polluting function |
CWE‑707 | JavaScript | js/prototype-pollution | Prototype-polluting merge call |
CWE‑707 | JavaScript | js/actions/pull-request-target | Checkout of untrusted code in trusted context |
CWE‑707 | JavaScript | js/command-line-injection-more-sources | Uncontrolled command line with additional heuristic sources |
CWE‑707 | JavaScript | js/xss-more-sources | Client-side cross-site scripting with additional heuristic sources |
CWE‑707 | JavaScript | js/sql-injection-more-sources | Database query built from user-controlled sources with additional heuristic sources |
CWE‑707 | JavaScript | js/code-injection-more-sources | Code injection with additional heuristic sources |
CWE‑707 | JavaScript | js/log-injection-more-sources | Log injection with additional heuristic sources |
CWE‑707 | JavaScript | js/tainted-format-string-more-sources | Use of externally-controlled format string with additional heuristic sources |
CWE‑707 | JavaScript | js/xpath-injection-more-sources | XPath injection with additional heuristic sources |
CWE‑707 | JavaScript | js/prototype-polluting-assignment-more-sources | Prototype-polluting assignment with additional heuristic sources |
CWE‑707 | Python | py/path-injection | Uncontrolled data used in path expression |
CWE‑707 | Python | py/command-line-injection | Uncontrolled command line |
CWE‑707 | Python | py/shell-command-constructed-from-input | Unsafe shell command constructed from library input |
CWE‑707 | Python | py/jinja2/autoescape-false | Jinja2 templating with autoescape=False |
CWE‑707 | Python | py/reflective-xss | Reflected server-side cross-site scripting |
CWE‑707 | Python | py/sql-injection | SQL query built from user-controlled sources |
CWE‑707 | Python | py/ldap-injection | LDAP query built from user-controlled sources |
CWE‑707 | Python | py/code-injection | Code injection |
CWE‑707 | Python | py/bad-tag-filter | Bad HTML filtering regexp |
CWE‑707 | Python | py/log-injection | Log Injection |
CWE‑707 | Python | py/xpath-injection | XPath query built from user-controlled sources |
CWE‑707 | Python | py/template-injection | Server Side Template Injection |
CWE‑707 | Python | py/paramiko-command-injection | RCE with user provided command with paramiko ssh client |
CWE‑707 | Python | py/reflective-xss-email | Reflected server-side cross-site scripting |
CWE‑707 | Python | py/xslt-injection | XSLT query built from user-controlled sources |
CWE‑707 | Python | py/header-injection | HTTP Header Injection |
CWE‑707 | Python | py/unicode-bypass-validation | Bypass Logical Validation Using Unicode Characters |
CWE‑707 | Python | py/nosql-injection | NoSQL Injection |
CWE‑707 | Ruby | rb/unicode-bypass-validation | Bypass Logical Validation Using Unicode Characters |
CWE‑707 | Ruby | rb/ldap-injection | LDAP Injection |
CWE‑707 | Ruby | rb/server-side-template-injection | Server-side template injection |
CWE‑707 | Ruby | rb/xpath-injection | XPath query built from user-controlled sources |
CWE‑707 | Ruby | rb/path-injection | Uncontrolled data used in path expression |
CWE‑707 | Ruby | rb/command-line-injection | Uncontrolled command line |
CWE‑707 | Ruby | rb/kernel-open | Use of Kernel.open , IO.read or similar sinks with user-controlled input |
CWE‑707 | Ruby | rb/non-constant-kernel-open | Use of Kernel.open or IO.read or similar sinks with a non-constant value |
CWE‑707 | Ruby | rb/shell-command-constructed-from-input | Unsafe shell command constructed from library input |
CWE‑707 | Ruby | rb/reflected-xss | Reflected server-side cross-site scripting |
CWE‑707 | Ruby | rb/stored-xss | Stored cross-site scripting |
CWE‑707 | Ruby | rb/html-constructed-from-input | Unsafe HTML constructed from library input |
CWE‑707 | Ruby | rb/sql-injection | SQL query built from user-controlled sources |
CWE‑707 | Ruby | rb/code-injection | Code injection |
CWE‑707 | Ruby | rb/unsafe-code-construction | Unsafe code constructed from library input |
CWE‑707 | Ruby | rb/bad-tag-filter | Bad HTML filtering regexp |
CWE‑707 | Ruby | rb/incomplete-multi-character-sanitization | Incomplete multi-character sanitization |
CWE‑707 | Ruby | rb/incomplete-sanitization | Incomplete string escaping or encoding |
CWE‑707 | Ruby | rb/log-injection | Log injection |
CWE‑707 | Ruby | rb/tainted-format-string | Use of externally-controlled format string |
CWE‑707 | Swift | swift/command-line-injection | System command built from user-controlled sources |
CWE‑707 | Swift | swift/path-injection | Uncontrolled data used in path expression |
CWE‑707 | Swift | swift/unsafe-webview-fetch | Unsafe WebView fetch |
CWE‑707 | Swift | swift/sql-injection | Database query built from user-controlled sources |
CWE‑707 | Swift | swift/unsafe-js-eval | JavaScript Injection |
CWE‑707 | Swift | swift/bad-tag-filter | Bad HTML filtering regexp |
CWE‑707 | Swift | swift/uncontrolled-format-string | Uncontrolled format string |
CWE‑707 | Swift | swift/predicate-injection | Predicate built from user-controlled sources |
CWE‑710 | C++ | cpp/unused-local-variable | Unused local variable |
CWE‑710 | C++ | cpp/unused-static-function | Unused static function |
CWE‑710 | C++ | cpp/unused-static-variable | Unused static variable |
CWE‑710 | C++ | cpp/dead-code-condition | Branching condition always evaluates to same value |
CWE‑710 | C++ | cpp/dead-code-function | Function is never called |
CWE‑710 | C++ | cpp/dead-code-goto | Dead code due to goto or break statement |
CWE‑710 | C++ | cpp/double-free | Potential double free |
CWE‑710 | C++ | cpp/inconsistent-nullness-testing | Inconsistent null check of pointer |
CWE‑710 | C++ | cpp/missing-check-scanf | Missing return-value check for a 'scanf'-like function |
CWE‑710 | C++ | cpp/missing-null-test | Returned pointer not checked |
CWE‑710 | C++ | cpp/unused-variable | Variable is assigned a value that is never read |
CWE‑710 | C++ | cpp/fixme-comment | FIXME comment |
CWE‑710 | C++ | cpp/todo-comment | TODO comment |
CWE‑710 | C++ | cpp/overflowing-snprintf | Potentially overflowing call to snprintf |
CWE‑710 | C++ | cpp/wrong-number-format-arguments | Too few arguments to formatting function |
CWE‑710 | C++ | cpp/wrong-type-format-argument | Wrong type of arguments to formatting function |
CWE‑710 | C++ | cpp/inconsistent-null-check | Inconsistent nullness check |
CWE‑710 | C++ | cpp/useless-expression | Expression has no effect |
CWE‑710 | C++ | cpp/pointer-overflow-check | Pointer overflow check |
CWE‑710 | C++ | cpp/bad-strncpy-size | Possibly wrong buffer size in string copy |
CWE‑710 | C++ | cpp/suspicious-call-to-memset | Suspicious call to memset |
CWE‑710 | C++ | cpp/unsafe-strncat | Potentially unsafe call to strncat |
CWE‑710 | C++ | cpp/unsafe-strcat | Potentially unsafe use of strcat |
CWE‑710 | C++ | cpp/redundant-null-check-simple | Redundant null check due to previous dereference |
CWE‑710 | C++ | cpp/too-few-arguments | Call to function with fewer arguments than declared parameters |
CWE‑710 | C++ | cpp/ignore-return-value-sal | SAL requires inspecting return value |
CWE‑710 | C++ | cpp/memset-may-be-deleted | Call to memset may be deleted |
CWE‑710 | C++ | cpp/hresult-boolean-conversion | Cast between HRESULT and a Boolean type |
CWE‑710 | C++ | cpp/incorrect-allocation-error-handling | Incorrect allocation-error handling |
CWE‑710 | C++ | cpp/dangerous-function-overflow | Use of dangerous function |
CWE‑710 | C++ | cpp/dangerous-cin | Dangerous use of 'cin' |
CWE‑710 | C++ | cpp/potentially-dangerous-function | Use of potentially dangerous function |
CWE‑710 | C++ | cpp/lock-order-cycle | Cyclic lock order dependency |
CWE‑710 | C++ | cpp/twice-locked | Mutex locked twice |
CWE‑710 | C++ | cpp/unreleased-lock | Lock may not be released |
CWE‑710 | C++ | cpp/redundant-null-check-param | Redundant null check or missing null check of parameter |
CWE‑710 | C++ | cpp/work-with-changing-working-directories | Find work with changing working directories, with security errors. |
CWE‑710 | C++ | cpp/wrong-use-of-the-umask | Find the wrong use of the umask function. |
CWE‑710 | C++ | cpp/experimental-double-free | Errors When Double Free |
CWE‑710 | C++ | cpp/dangerous-use-of-exception-blocks | Dangerous use of exception blocks. |
CWE‑710 | C++ | cpp/operator-find-incorrectly-used-switch | Incorrect switch statement |
CWE‑710 | C++ | cpp/double-release | Errors When Double Release |
CWE‑710 | C++ | cpp/errors-of-undefined-program-behavior | Errors Of Undefined Program Behavior |
CWE‑710 | C# | cs/call-to-obsolete-method | Call to obsolete method |
CWE‑710 | C# | cs/inconsistent-equals-and-gethashcode | Inconsistent Equals(object) and GetHashCode() |
CWE‑710 | C# | cs/todo-comment | TODO comment |
CWE‑710 | C# | cs/dereferenced-value-is-always-null | Dereferenced variable is always null |
CWE‑710 | C# | cs/dereferenced-value-may-be-null | Dereferenced variable may be null |
CWE‑710 | C# | cs/unused-reftype | Dead reference types |
CWE‑710 | C# | cs/useless-assignment-to-local | Useless assignment to local variable |
CWE‑710 | C# | cs/unused-field | Unused field |
CWE‑710 | C# | cs/unused-method | Unused method |
CWE‑710 | C# | cs/captured-foreach-variable | Capturing a foreach variable |
CWE‑710 | C# | cs/useless-cast-to-self | Cast to same type |
CWE‑710 | C# | cs/useless-is-before-as | Useless 'is' before 'as' |
CWE‑710 | C# | cs/coalesce-of-identical-expressions | Useless ?? expression |
CWE‑710 | C# | cs/useless-type-test | Useless type test |
CWE‑710 | C# | cs/useless-upcast | Useless upcast |
CWE‑710 | C# | cs/empty-collection | Container contents are never initialized |
CWE‑710 | C# | cs/unused-collection | Container contents are never accessed |
CWE‑710 | C# | cs/invalid-dynamic-call | Bad dynamic call |
CWE‑710 | C# | cs/empty-lock-statement | Empty lock statement |
CWE‑710 | C# | cs/linq/useless-select | Redundant Select |
CWE‑710 | C# | cs/hard-coded-symmetric-encryption-key | Hard-coded symmetric encryption key |
CWE‑710 | C# | cs/web/missing-x-frame-options | Missing X-Frame-Options HTTP header |
CWE‑710 | C# | cs/hardcoded-connection-string-credentials | Hard-coded connection string with credentials |
CWE‑710 | C# | cs/hardcoded-credentials | Hard-coded credentials |
CWE‑710 | Go | go/comparison-of-identical-expressions | Comparison of identical values |
CWE‑710 | Go | go/useless-assignment-to-field | Useless assignment to field |
CWE‑710 | Go | go/useless-assignment-to-local | Useless assignment to local variable |
CWE‑710 | Go | go/duplicate-branches | Duplicate 'if' branches |
CWE‑710 | Go | go/duplicate-condition | Duplicate 'if' condition |
CWE‑710 | Go | go/duplicate-switch-case | Duplicate switch case |
CWE‑710 | Go | go/useless-expression | Expression has no effect |
CWE‑710 | Go | go/redundant-operation | Identical operands |
CWE‑710 | Go | go/redundant-assignment | Self assignment |
CWE‑710 | Go | go/unreachable-statement | Unreachable statement |
CWE‑710 | Go | go/hardcoded-credentials | Hard-coded credentials |
CWE‑710 | Go | go/pam-auth-bypass | PAM authorization bypass due to incorrect usage |
CWE‑710 | Go | go/hardcoded-key | Use of a hardcoded key for signing JWT |
CWE‑710 | Java | java/deprecated-call | Deprecated method or constructor invocation |
CWE‑710 | Java | java/dead-class | Dead class |
CWE‑710 | Java | java/dead-enum-constant | Dead enum constant |
CWE‑710 | Java | java/dead-field | Dead field |
CWE‑710 | Java | java/dead-function | Dead method |
CWE‑710 | Java | java/lines-of-dead-code | Lines of dead code in files |
CWE‑710 | Java | java/unused-parameter | Useless parameter |
CWE‑710 | Java | java/ejb/container-interference | EJB interferes with container operation |
CWE‑710 | Java | java/ejb/file-io | EJB uses file input/output |
CWE‑710 | Java | java/ejb/graphics | EJB uses graphics |
CWE‑710 | Java | java/ejb/native-code | EJB uses native code |
CWE‑710 | Java | java/ejb/reflection | EJB uses reflection |
CWE‑710 | Java | java/ejb/security-configuration-access | EJB accesses security configuration |
CWE‑710 | Java | java/ejb/substitution-in-serialization | EJB uses substitution in serialization |
CWE‑710 | Java | java/ejb/socket-or-stream-handler-factory | EJB sets socket factory or URL stream handler factory |
CWE‑710 | Java | java/ejb/server-socket | EJB uses server socket |
CWE‑710 | Java | java/ejb/non-final-static-field | EJB uses non-final static field |
CWE‑710 | Java | java/ejb/synchronization | EJB uses synchronization |
CWE‑710 | Java | java/ejb/this | EJB uses 'this' as argument or result |
CWE‑710 | Java | java/ejb/threads | EJB uses threads |
CWE‑710 | Java | java/useless-null-check | Useless null check |
CWE‑710 | Java | java/useless-type-test | Useless type test |
CWE‑710 | Java | java/useless-upcast | Useless upcast |
CWE‑710 | Java | java/missing-call-to-super-clone | Missing super clone |
CWE‑710 | Java | java/empty-container | Container contents are never initialized |
CWE‑710 | Java | java/unused-container | Container contents are never accessed |
CWE‑710 | Java | java/inconsistent-equals-and-hashcode | Inconsistent equals and hashCode |
CWE‑710 | Java | java/constant-comparison | Useless comparison test |
CWE‑710 | Java | java/unreleased-lock | Unreleased lock |
CWE‑710 | Java | java/missing-super-finalize | Finalizer inconsistency |
CWE‑710 | Java | java/missing-format-argument | Missing format argument |
CWE‑710 | Java | java/unused-format-argument | Unused format argument |
CWE‑710 | Java | java/dereferenced-value-is-always-null | Dereferenced variable is always null |
CWE‑710 | Java | java/dereferenced-expr-may-be-null | Dereferenced expression may be null |
CWE‑710 | Java | java/dereferenced-value-may-be-null | Dereferenced variable may be null |
CWE‑710 | Java | java/empty-synchronized-block | Empty synchronized block |
CWE‑710 | Java | java/unreachable-catch-clause | Unreachable catch clause |
CWE‑710 | Java | java/static-initialization-vector | Using a static initialization vector for encryption |
CWE‑710 | Java | java/potentially-dangerous-function | Use of a potentially dangerous function |
CWE‑710 | Java | java/hardcoded-credential-api-call | Hard-coded credential in API call |
CWE‑710 | Java | java/hardcoded-credential-comparison | Hard-coded credential comparison |
CWE‑710 | Java | java/hardcoded-credential-sensitive-call | Hard-coded credential in sensitive call |
CWE‑710 | Java | java/hardcoded-password-field | Hard-coded password field |
CWE‑710 | Java | java/todo-comment | TODO/FIXME comments |
CWE‑710 | Java | java/unused-reference-type | Unused classes and interfaces |
CWE‑710 | Java | java/overwritten-assignment-to-local | Assigned value is overwritten |
CWE‑710 | Java | java/useless-assignment-to-local | Useless assignment to local variable |
CWE‑710 | Java | java/empty-finalizer | Empty body of finalizer |
CWE‑710 | Java | java/unused-initialized-local | Local variable is initialized but not used |
CWE‑710 | Java | java/local-variable-is-never-read | Unread local variable |
CWE‑710 | Java | java/unused-field | Unused field |
CWE‑710 | Java | java/unused-label | Unused label |
CWE‑710 | Java | java/unused-local-variable | Unused local variable |
CWE‑710 | Java | java/switch-fall-through | Unterminated switch case |
CWE‑710 | Java | java/redundant-cast | Unnecessary cast |
CWE‑710 | Java | java/unused-import | Unnecessary import |
CWE‑710 | JavaScript | js/todo-comment | TODO comment |
CWE‑710 | JavaScript | js/conflicting-html-attribute | Conflicting HTML element attributes |
CWE‑710 | JavaScript | js/malformed-html-id | Malformed id attribute |
CWE‑710 | JavaScript | js/eval-like-call | Call to eval-like DOM function |
CWE‑710 | JavaScript | js/variable-initialization-conflict | Conflicting variable initialization |
CWE‑710 | JavaScript | js/function-declaration-conflict | Conflicting function declarations |
CWE‑710 | JavaScript | js/useless-assignment-to-global | Useless assignment to global variable |
CWE‑710 | JavaScript | js/useless-assignment-to-local | Useless assignment to local variable |
CWE‑710 | JavaScript | js/overwritten-property | Overwritten property |
CWE‑710 | JavaScript | js/comparison-of-identical-expressions | Comparison of identical values |
CWE‑710 | JavaScript | js/comparison-with-nan | Comparison with NaN |
CWE‑710 | JavaScript | js/duplicate-condition | Duplicate 'if' condition |
CWE‑710 | JavaScript | js/duplicate-property | Duplicate property |
CWE‑710 | JavaScript | js/duplicate-switch-case | Duplicate switch case |
CWE‑710 | JavaScript | js/useless-expression | Expression has no effect |
CWE‑710 | JavaScript | js/comparison-between-incompatible-types | Comparison between inconvertible types |
CWE‑710 | JavaScript | js/redundant-operation | Identical operands |
CWE‑710 | JavaScript | js/redundant-assignment | Self assignment |
CWE‑710 | JavaScript | js/call-to-non-callable | Invocation of non-function |
CWE‑710 | JavaScript | js/property-access-on-non-object | Property access on null or undefined |
CWE‑710 | JavaScript | js/unneeded-defensive-code | Unneeded defensive code |
CWE‑710 | JavaScript | js/useless-type-test | Useless type test |
CWE‑710 | JavaScript | js/conditional-comment | Conditional comments |
CWE‑710 | JavaScript | js/eval-call | Use of eval |
CWE‑710 | JavaScript | js/non-standard-language-feature | Use of platform-specific language features |
CWE‑710 | JavaScript | js/for-in-comprehension | Use of for-in comprehension blocks |
CWE‑710 | JavaScript | js/superfluous-trailing-arguments | Superfluous trailing arguments |
CWE‑710 | JavaScript | js/yield-outside-generator | Yield in non-generator function |
CWE‑710 | JavaScript | js/node/assignment-to-exports-variable | Assignment to exports variable |
CWE‑710 | JavaScript | js/regex/unmatchable-caret | Unmatchable caret in regular expression |
CWE‑710 | JavaScript | js/regex/unmatchable-dollar | Unmatchable dollar in regular expression |
CWE‑710 | JavaScript | js/remote-property-injection | Remote property injection |
CWE‑710 | JavaScript | js/missing-x-frame-options | Missing X-Frame-Options HTTP header |
CWE‑710 | JavaScript | js/hardcoded-data-interpreted-as-code | Hard-coded data interpreted as code |
CWE‑710 | JavaScript | js/hardcoded-credentials | Hard-coded credentials |
CWE‑710 | JavaScript | js/http-to-file-access | Network data written to file |
CWE‑710 | JavaScript | js/useless-assignment-in-return | Return statement assigns local variable |
CWE‑710 | JavaScript | js/unreachable-statement | Unreachable statement |
CWE‑710 | JavaScript | js/trivial-conditional | Useless conditional |
CWE‑710 | JavaScript | js/remote-property-injection-more-sources | Remote property injection with additional heuristic sources |
CWE‑710 | Python | py/equals-hash-mismatch | Inconsistent equality and hashing |
CWE‑710 | Python | py/call/wrong-named-class-argument | Wrong name for an argument in a class instantiation |
CWE‑710 | Python | py/call/wrong-number-class-arguments | Wrong number of arguments in a class instantiation |
CWE‑710 | Python | py/unreachable-except | Unreachable 'except' block |
CWE‑710 | Python | py/super-not-enclosing-class | First argument to super() is not enclosing class |
CWE‑710 | Python | py/comparison-of-constants | Comparison of constants |
CWE‑710 | Python | py/comparison-of-identical-expressions | Comparison of identical values |
CWE‑710 | Python | py/comparison-missing-self | Maybe missing 'self' in comparison |
CWE‑710 | Python | py/redundant-comparison | Redundant comparison |
CWE‑710 | Python | py/duplicate-key-dict-literal | Duplicate key in dict literal |
CWE‑710 | Python | py/call/wrong-named-argument | Wrong name for an argument in a call |
CWE‑710 | Python | py/percent-format/wrong-arguments | Wrong number of arguments for format |
CWE‑710 | Python | py/call/wrong-arguments | Wrong number of arguments in a call |
CWE‑710 | Python | py/import-deprecated-module | Import of deprecated module |
CWE‑710 | Python | py/hardcoded-credentials | Hard-coded credentials |
CWE‑710 | Python | py/constant-conditional-expression | Constant in conditional expression or statement |
CWE‑710 | Python | py/redundant-assignment | Redundant assignment |
CWE‑710 | Python | py/ineffectual-statement | Statement has no effect |
CWE‑710 | Python | py/unreachable-statement | Unreachable code |
CWE‑710 | Python | py/multiple-definition | Variable defined multiple times |
CWE‑710 | Python | py/unused-local-variable | Unused local variable |
CWE‑710 | Python | py/unused-global-variable | Unused global variable |
CWE‑710 | Ruby | rb/hardcoded-data-interpreted-as-code | Hard-coded data interpreted as code |
CWE‑710 | Ruby | rb/hardcoded-credentials | Hard-coded credentials |
CWE‑710 | Ruby | rb/http-to-file-access | Network data written to file |
CWE‑710 | Ruby | rb/useless-assignment-to-local | Useless assignment to local variable |
CWE‑710 | Ruby | rb/unused-parameter | Unused parameter. |
CWE‑710 | Swift | swift/static-initialization-vector | Static initialization vector for encryption |
CWE‑710 | Swift | swift/constant-password | Constant password |
CWE‑710 | Swift | swift/hardcoded-key | Hard-coded encryption key |
CWE‑732 | C++ | cpp/world-writable-file-creation | File created without restricting permissions |
CWE‑732 | C++ | cpp/open-call-with-mode-argument | File opened with O_CREAT flag but without mode argument |
CWE‑732 | C++ | cpp/unsafe-dacl-security-descriptor | Setting a DACL to NULL in a SECURITY_DESCRIPTOR |
CWE‑732 | Java | java/local-temp-file-or-directory-information-disclosure | Local information disclosure in a temporary directory |
CWE‑732 | Java | java/world-writable-file-read | Reading from a world writable file |
CWE‑732 | Python | py/overly-permissive-file | Overly permissive file permissions |
CWE‑732 | Ruby | rb/weak-cookie-configuration | Weak cookie configuration |
CWE‑732 | Ruby | rb/overly-permissive-file | Overly permissive file permissions |
CWE‑733 | C++ | cpp/memset-may-be-deleted | Call to memset may be deleted |
CWE‑749 | Java | java/android/unsafe-android-webview-fetch | Unsafe resource fetching in Android WebView |
CWE‑749 | Swift | swift/unsafe-webview-fetch | Unsafe WebView fetch |
CWE‑749 | Swift | swift/unsafe-js-eval | JavaScript Injection |
CWE‑754 | C++ | cpp/missing-check-scanf | Missing return-value check for a 'scanf'-like function |
CWE‑754 | C++ | cpp/return-value-ignored | Return value of a function is ignored |
CWE‑754 | C++ | cpp/overflowing-snprintf | Potentially overflowing call to snprintf |
CWE‑754 | C++ | cpp/inconsistent-call-on-result | Inconsistent operation on return value |
CWE‑754 | C++ | cpp/ignore-return-value-sal | SAL requires inspecting return value |
CWE‑754 | C++ | cpp/hresult-boolean-conversion | Cast between HRESULT and a Boolean type |
CWE‑754 | C++ | cpp/incorrect-allocation-error-handling | Incorrect allocation-error handling |
CWE‑754 | C++ | cpp/work-with-changing-working-directories | Find work with changing working directories, with security errors. |
CWE‑754 | C++ | cpp/drop-linux-privileges-outoforder | LinuxPrivilegeDroppingOutoforder |
CWE‑754 | C++ | cpp/improper-check-return-value-scanf | Improper check of return value of scanf |
CWE‑754 | C# | cs/unchecked-return-value | Unchecked return value |
CWE‑754 | Java | java/inconsistent-call-on-result | Inconsistent operation on return value |
CWE‑754 | Java | java/return-value-ignored | Method result ignored |
CWE‑754 | Java | java/unsafe-cert-trust | Unsafe certificate trust |
CWE‑754 | JavaScript | js/unvalidated-dynamic-method-call | Unvalidated dynamic method call |
CWE‑754 | Python | py/ignored-return-value | Ignored return value |
CWE‑755 | C++ | cpp/incorrect-allocation-error-handling | Incorrect allocation-error handling |
CWE‑755 | C++ | cpp/operator-find-incorrectly-used-exceptions | Operator Find Incorrectly Used Exceptions |
CWE‑755 | C# | cs/dispose-not-called-on-throw | Dispose may not be called if an exception is thrown during execution |
CWE‑755 | C# | cs/local-not-disposed | Missing Dispose call on local IDisposable |
CWE‑755 | C# | cs/catch-nullreferenceexception | Poor error handling: catch of NullReferenceException |
CWE‑755 | C# | cs/empty-catch-block | Poor error handling: empty catch block |
CWE‑755 | C# | cs/catch-of-all-exceptions | Generic catch clause |
CWE‑755 | C# | cs/information-exposure-through-exception | Information exposure through an exception |
CWE‑755 | C# | cs/web/missing-global-error-handler | Missing global error handler |
CWE‑755 | Go | go/stack-trace-exposure | Information exposure through a stack trace |
CWE‑755 | Java | java/stack-trace-exposure | Information exposure through a stack trace |
CWE‑755 | Java | java/overly-general-catch | Overly-general catch clause |
CWE‑755 | Java | java/android/nfe-local-android-dos | Local Android DoS Caused By NumberFormatException |
CWE‑755 | JavaScript | js/stack-trace-exposure | Information exposure through a stack trace |
CWE‑755 | Python | py/catch-base-exception | Except block handles 'BaseException' |
CWE‑755 | Python | py/empty-except | Empty except |
CWE‑755 | Python | py/stack-trace-exposure | Information exposure through an exception |
CWE‑755 | Ruby | rb/stack-trace-exposure | Information exposure through an exception |
CWE‑756 | C# | cs/web/missing-global-error-handler | Missing global error handler |
CWE‑757 | Swift | swift/insecure-tls | Insecure TLS configuration |
CWE‑758 | C++ | cpp/pointer-overflow-check | Pointer overflow check |
CWE‑758 | C++ | cpp/memset-may-be-deleted | Call to memset may be deleted |
CWE‑758 | C++ | cpp/errors-of-undefined-program-behavior | Errors Of Undefined Program Behavior |
CWE‑758 | C# | cs/captured-foreach-variable | Capturing a foreach variable |
CWE‑758 | JavaScript | js/conflicting-html-attribute | Conflicting HTML element attributes |
CWE‑758 | JavaScript | js/malformed-html-id | Malformed id attribute |
CWE‑758 | JavaScript | js/conditional-comment | Conditional comments |
CWE‑758 | JavaScript | js/non-standard-language-feature | Use of platform-specific language features |
CWE‑758 | JavaScript | js/for-in-comprehension | Use of for-in comprehension blocks |
CWE‑758 | JavaScript | js/yield-outside-generator | Yield in non-generator function |
CWE‑759 | Java | java/hash-without-salt | Use of a hash function without a salt |
CWE‑760 | Swift | swift/constant-salt | Use of constant salts |
CWE‑764 | C++ | cpp/lock-order-cycle | Cyclic lock order dependency |
CWE‑764 | C++ | cpp/twice-locked | Mutex locked twice |
CWE‑764 | C++ | cpp/unreleased-lock | Lock may not be released |
CWE‑764 | Java | java/unreleased-lock | Unreleased lock |
CWE‑770 | C++ | cpp/alloca-in-loop | Call to alloca in a loop |
CWE‑770 | C++ | cpp/uncontrolled-allocation-size | Overflow in uncontrolled allocation size |
CWE‑770 | JavaScript | js/missing-rate-limiting | Missing rate limiting |
CWE‑770 | JavaScript | js/resource-exhaustion | Resource exhaustion |
CWE‑770 | JavaScript | js/resource-exhaustion-more-sources | Resource exhaustion with additional heuristic sources |
CWE‑772 | C++ | cpp/catch-missing-free | Leaky catch |
CWE‑772 | C++ | cpp/descriptor-may-not-be-closed | Open descriptor may not be closed |
CWE‑772 | C++ | cpp/descriptor-never-closed | Open descriptor never closed |
CWE‑772 | C++ | cpp/file-may-not-be-closed | Open file may not be closed |
CWE‑772 | C++ | cpp/file-never-closed | Open file is not closed |
CWE‑772 | C++ | cpp/memory-may-not-be-freed | Memory may not be freed |
CWE‑772 | C++ | cpp/memory-never-freed | Memory is never freed |
CWE‑772 | C++ | cpp/new-free-mismatch | Mismatching new/free or malloc/delete |
CWE‑772 | C++ | cpp/memory-leak-on-failed-call-to-realloc | Memory leak on failed call to realloc |
CWE‑772 | Java | java/input-resource-leak | Potential input resource leak |
CWE‑772 | Java | java/database-resource-leak | Potential database resource leak |
CWE‑772 | Java | java/output-resource-leak | Potential output resource leak |
CWE‑772 | Python | py/file-not-closed | File is not always closed |
CWE‑775 | C++ | cpp/descriptor-may-not-be-closed | Open descriptor may not be closed |
CWE‑775 | C++ | cpp/descriptor-never-closed | Open descriptor never closed |
CWE‑775 | C++ | cpp/file-may-not-be-closed | Open file may not be closed |
CWE‑775 | C++ | cpp/file-never-closed | Open file is not closed |
CWE‑776 | C# | cs/xml/insecure-dtd-handling | Untrusted XML is read insecurely |
CWE‑776 | C# | cs/insecure-xml-read | XML is read insecurely |
CWE‑776 | Java | java/xxe | Resolving XML external entity in user-controlled data |
CWE‑776 | Java | java/xxe-local | Resolving XML external entity in user-controlled data from local source |
CWE‑776 | JavaScript | js/xml-bomb | XML internal entity expansion |
CWE‑776 | JavaScript | js/xml-bomb-more-sources | XML internal entity expansion with additional heuristic sources |
CWE‑776 | Python | py/xml-bomb | XML internal entity expansion |
CWE‑776 | Python | py/simple-xml-rpc-server-dos | SimpleXMLRPCServer denial of service |
CWE‑776 | Ruby | rb/xxe | XML external entity expansion |
CWE‑776 | Swift | swift/xxe | Resolving XML external entity in user-controlled data |
CWE‑780 | C# | cs/inadequate-rsa-padding | Weak encryption: inadequate RSA padding |
CWE‑780 | Java | java/rsa-without-oaep | Use of RSA algorithm without OAEP |
CWE‑783 | C++ | cpp/operator-precedence-logic-error-when-use-bitwise-logical-operations | Operator Precedence Logic Error When Use Bitwise Or Logical Operations |
CWE‑783 | C++ | cpp/operator-precedence-logic-error-when-use-bool-type | Operator Precedence Logic Error When Use Bool Type |
CWE‑783 | Go | go/whitespace-contradicts-precedence | Whitespace contradicts operator precedence |
CWE‑783 | Java | java/whitespace-contradicts-precedence | Whitespace contradicts operator precedence |
CWE‑783 | JavaScript | js/unclear-operator-precedence | Unclear precedence of nested operators |
CWE‑783 | JavaScript | js/whitespace-contradicts-precedence | Whitespace contradicts operator precedence |
CWE‑787 | C++ | cpp/allocation-too-small | Not enough memory allocated for pointer type |
CWE‑787 | C++ | cpp/suspicious-allocation-size | Not enough memory allocated for array of pointer type |
CWE‑787 | C++ | cpp/overflow-buffer | Call to memory access function may overflow buffer |
CWE‑787 | C++ | cpp/badly-bounded-write | Badly bounded write |
CWE‑787 | C++ | cpp/overrunning-write | Potentially overrunning write |
CWE‑787 | C++ | cpp/overrunning-write-with-float | Potentially overrunning write with float to string conversion |
CWE‑787 | C++ | cpp/unbounded-write | Unbounded write |
CWE‑787 | C++ | cpp/very-likely-overrunning-write | Likely overrunning write |
CWE‑787 | C++ | cpp/unterminated-variadic-call | Unterminated variadic call |
CWE‑787 | C++ | cpp/no-space-for-terminator | No space for zero terminator |
CWE‑787 | C++ | cpp/invalid-pointer-deref | Invalid pointer dereference |
CWE‑787 | C++ | cpp/sign-conversion-pointer-arithmetic | unsigned to signed used in pointer arithmetic |
CWE‑787 | C# | cs/unvalidated-local-pointer-arithmetic | Unvalidated local pointer arithmetic |
CWE‑788 | C++ | cpp/allocation-too-small | Not enough memory allocated for pointer type |
CWE‑788 | C++ | cpp/suspicious-allocation-size | Not enough memory allocated for array of pointer type |
CWE‑788 | C++ | cpp/unsafe-strncat | Potentially unsafe call to strncat |
CWE‑788 | C++ | cpp/overflow-buffer | Call to memory access function may overflow buffer |
CWE‑788 | C++ | cpp/unterminated-variadic-call | Unterminated variadic call |
CWE‑788 | C++ | cpp/no-space-for-terminator | No space for zero terminator |
CWE‑788 | C++ | cpp/openssl-heartbleed | Use of a version of OpenSSL with Heartbleed |
CWE‑788 | C++ | cpp/access-memory-location-after-end-buffer-strlen | Access Of Memory Location After End Of Buffer |
CWE‑788 | C# | cs/unvalidated-local-pointer-arithmetic | Unvalidated local pointer arithmetic |
CWE‑788 | Go | go/wrong-usage-of-unsafe | Wrong usage of package unsafe |
CWE‑789 | C++ | cpp/uncontrolled-allocation-size | Overflow in uncontrolled allocation size |
CWE‑798 | C# | cs/hard-coded-symmetric-encryption-key | Hard-coded symmetric encryption key |
CWE‑798 | C# | cs/hardcoded-connection-string-credentials | Hard-coded connection string with credentials |
CWE‑798 | C# | cs/hardcoded-credentials | Hard-coded credentials |
CWE‑798 | Go | go/hardcoded-credentials | Hard-coded credentials |
CWE‑798 | Go | go/hardcoded-key | Use of a hardcoded key for signing JWT |
CWE‑798 | Java | java/hardcoded-credential-api-call | Hard-coded credential in API call |
CWE‑798 | Java | java/hardcoded-credential-comparison | Hard-coded credential comparison |
CWE‑798 | Java | java/hardcoded-credential-sensitive-call | Hard-coded credential in sensitive call |
CWE‑798 | Java | java/hardcoded-password-field | Hard-coded password field |
CWE‑798 | JavaScript | js/hardcoded-credentials | Hard-coded credentials |
CWE‑798 | Python | py/hardcoded-credentials | Hard-coded credentials |
CWE‑798 | Ruby | rb/hardcoded-credentials | Hard-coded credentials |
CWE‑798 | Swift | swift/constant-password | Constant password |
CWE‑798 | Swift | swift/hardcoded-key | Hard-coded encryption key |
CWE‑799 | JavaScript | js/missing-rate-limiting | Missing rate limiting |
CWE‑805 | C++ | cpp/badly-bounded-write | Badly bounded write |
CWE‑805 | C++ | cpp/overrunning-write | Potentially overrunning write |
CWE‑805 | C++ | cpp/overrunning-write-with-float | Potentially overrunning write with float to string conversion |
CWE‑805 | C++ | cpp/unbounded-write | Unbounded write |
CWE‑805 | C++ | cpp/very-likely-overrunning-write | Likely overrunning write |
CWE‑805 | C++ | cpp/buffer-access-with-incorrect-length-value | Buffer access with incorrect length value |
CWE‑807 | C++ | cpp/tainted-permissions-check | Untrusted input for a condition |
CWE‑807 | C# | cs/user-controlled-bypass | User-controlled bypass of sensitive method |
CWE‑807 | Go | go/sensitive-condition-bypass | User-controlled bypassing of sensitive action |
CWE‑807 | Java | java/user-controlled-bypass | User-controlled bypass of sensitive method |
CWE‑807 | Java | java/tainted-permissions-check | User-controlled data used in permissions check |
CWE‑807 | JavaScript | js/user-controlled-bypass | User-controlled bypass of security check |
CWE‑807 | JavaScript | js/different-kinds-comparison-bypass | Comparison of user-controlled data of different kinds |
CWE‑807 | JavaScript | js/user-controlled-bypass-more-sources | User-controlled bypass of security check with additional heuristic sources |
CWE‑807 | Ruby | rb/user-controlled-bypass | User-controlled bypass of security check |
CWE‑820 | C# | cs/unsynchronized-static-access | Unsynchronized access to static collection member in non-static context |
CWE‑820 | Java | java/lazy-initialization | Incorrect lazy initialization of a static field |
CWE‑820 | Java | java/non-sync-override | Non-synchronized override of synchronized method |
CWE‑821 | Java | java/ejb/synchronization | EJB uses synchronization |
CWE‑821 | Java | java/call-to-thread-run | Direct call to a run() method |
CWE‑823 | C++ | cpp/late-negative-test | Pointer offset used before it is checked |
CWE‑823 | C++ | cpp/missing-negativity-test | Unchecked return value used as offset |
CWE‑825 | C++ | cpp/double-free | Potential double free |
CWE‑825 | C++ | cpp/use-after-free | Potential use after free |
CWE‑825 | C++ | cpp/return-stack-allocated-memory | Returning stack-allocated memory |
CWE‑825 | C++ | cpp/using-expired-stack-address | Use of expired stack-address |
CWE‑825 | C++ | cpp/experimental-double-free | Errors When Double Free |
CWE‑825 | C++ | cpp/dangerous-use-of-exception-blocks | Dangerous use of exception blocks. |
CWE‑826 | C++ | cpp/self-assignment-check | Self assignment check |
CWE‑827 | C# | cs/xml/insecure-dtd-handling | Untrusted XML is read insecurely |
CWE‑827 | C# | cs/insecure-xml-read | XML is read insecurely |
CWE‑827 | Java | java/xxe | Resolving XML external entity in user-controlled data |
CWE‑827 | Java | java/xxe-local | Resolving XML external entity in user-controlled data from local source |
CWE‑827 | JavaScript | js/xxe | XML external entity expansion |
CWE‑827 | JavaScript | js/xxe-more-sources | XML external entity expansion with additional heuristic sources |
CWE‑827 | Python | py/xxe | XML external entity expansion |
CWE‑827 | Ruby | rb/xxe | XML external entity expansion |
CWE‑827 | Swift | swift/xxe | Resolving XML external entity in user-controlled data |
CWE‑829 | C# | cs/web/missing-x-frame-options | Missing X-Frame-Options HTTP header |
CWE‑829 | C# | cs/xml/insecure-dtd-handling | Untrusted XML is read insecurely |
CWE‑829 | C# | cs/insecure-xml-read | XML is read insecurely |
CWE‑829 | Java | java/xxe | Resolving XML external entity in user-controlled data |
CWE‑829 | Java | java/xxe-local | Resolving XML external entity in user-controlled data from local source |
CWE‑829 | Java | java/maven/non-https-url | Failure to use HTTPS or SFTP URL in Maven artifact upload/download |
CWE‑829 | JavaScript | js/insecure-dependency | Dependency download using unencrypted communication channel |
CWE‑829 | JavaScript | js/missing-x-frame-options | Missing X-Frame-Options HTTP header |
CWE‑829 | JavaScript | js/xxe | XML external entity expansion |
CWE‑829 | JavaScript | js/insecure-download | Download of sensitive file through insecure connection |
CWE‑829 | JavaScript | js/functionality-from-untrusted-source | Inclusion of functionality from an untrusted source |
CWE‑829 | JavaScript | js/xxe-more-sources | XML external entity expansion with additional heuristic sources |
CWE‑829 | Python | py/xxe | XML external entity expansion |
CWE‑829 | Ruby | rb/insecure-dependency | Dependency download using unencrypted communication channel |
CWE‑829 | Ruby | rb/xxe | XML external entity expansion |
CWE‑829 | Ruby | rb/insecure-download | Download of sensitive file through insecure connection |
CWE‑829 | Swift | swift/xxe | Resolving XML external entity in user-controlled data |
CWE‑830 | JavaScript | js/functionality-from-untrusted-source | Inclusion of functionality from an untrusted source |
CWE‑833 | C++ | cpp/lock-order-cycle | Cyclic lock order dependency |
CWE‑833 | C++ | cpp/twice-locked | Mutex locked twice |
CWE‑833 | C++ | cpp/unreleased-lock | Lock may not be released |
CWE‑833 | C# | cs/locked-wait | A lock is held during a wait |
CWE‑833 | Java | java/sleep-with-lock-held | Sleep with lock held |
CWE‑833 | Java | java/unreleased-lock | Unreleased lock |
CWE‑833 | Java | java/wait-with-two-locks | Wait with two locks held |
CWE‑833 | Java | java/lock-order-inconsistency | Lock order inconsistency |
CWE‑834 | C++ | cpp/inconsistent-loop-direction | Inconsistent direction of for loop |
CWE‑834 | C++ | cpp/comparison-with-wider-type | Comparison of narrow type with wide type in loop condition |
CWE‑834 | C++ | cpp/infinite-loop-with-unsatisfiable-exit-condition | Infinite loop with unsatisfiable exit condition |
CWE‑834 | C# | cs/constant-condition | Constant condition |
CWE‑834 | C# | cs/linq/inconsistent-enumeration | Bad multiple iteration |
CWE‑834 | C# | cs/xml/insecure-dtd-handling | Untrusted XML is read insecurely |
CWE‑834 | C# | cs/insecure-xml-read | XML is read insecurely |
CWE‑834 | Go | go/inconsistent-loop-direction | Inconsistent direction of for loop |
CWE‑834 | Java | java/constant-loop-condition | Constant loop condition |
CWE‑834 | Java | java/xxe | Resolving XML external entity in user-controlled data |
CWE‑834 | Java | java/xxe-local | Resolving XML external entity in user-controlled data from local source |
CWE‑834 | Java | java/unreachable-exit-in-loop | Loop with unreachable exit condition |
CWE‑834 | JavaScript | js/xml-bomb | XML internal entity expansion |
CWE‑834 | JavaScript | js/loop-bound-injection | Loop bound injection |
CWE‑834 | JavaScript | js/inconsistent-loop-direction | Inconsistent direction of for loop |
CWE‑834 | JavaScript | js/xml-bomb-more-sources | XML internal entity expansion with additional heuristic sources |
CWE‑834 | Python | py/xml-bomb | XML internal entity expansion |
CWE‑834 | Python | py/simple-xml-rpc-server-dos | SimpleXMLRPCServer denial of service |
CWE‑834 | Ruby | rb/xxe | XML external entity expansion |
CWE‑834 | Swift | swift/xxe | Resolving XML external entity in user-controlled data |
CWE‑835 | C++ | cpp/inconsistent-loop-direction | Inconsistent direction of for loop |
CWE‑835 | C++ | cpp/comparison-with-wider-type | Comparison of narrow type with wide type in loop condition |
CWE‑835 | C++ | cpp/infinite-loop-with-unsatisfiable-exit-condition | Infinite loop with unsatisfiable exit condition |
CWE‑835 | C# | cs/constant-condition | Constant condition |
CWE‑835 | Go | go/inconsistent-loop-direction | Inconsistent direction of for loop |
CWE‑835 | Java | java/constant-loop-condition | Constant loop condition |
CWE‑835 | Java | java/unreachable-exit-in-loop | Loop with unreachable exit condition |
CWE‑835 | JavaScript | js/inconsistent-loop-direction | Inconsistent direction of for loop |
CWE‑838 | C# | cs/inappropriate-encoding | Inappropriate encoding |
CWE‑843 | C++ | cpp/upcast-array-pointer-arithmetic | Upcast array used in pointer arithmetic |
CWE‑843 | JavaScript | js/type-confusion-through-parameter-tampering | Type confusion through parameter tampering |
CWE‑862 | C# | cs/empty-password-in-configuration | Empty password in configuration file |
CWE‑862 | C# | cs/web/missing-function-level-access-control | Missing function level access control |
CWE‑862 | Java | java/incorrect-url-verification | Incorrect URL verification |
CWE‑862 | JavaScript | js/cors-misconfiguration-for-credentials | CORS misconfiguration for credentials transfer |
CWE‑862 | JavaScript | js/empty-password-in-configuration-file | Empty password in configuration file |
CWE‑862 | JavaScript | js/cors-misconfiguration-for-credentials-more-sources | CORS misconfiguration for credentials transfer with additional heuristic sources |
CWE‑908 | C++ | cpp/improper-check-return-value-scanf | Improper check of return value of scanf |
CWE‑909 | C++ | cpp/initialization-not-run | Initialization code not run |
CWE‑912 | JavaScript | js/hardcoded-data-interpreted-as-code | Hard-coded data interpreted as code |
CWE‑912 | JavaScript | js/http-to-file-access | Network data written to file |
CWE‑912 | Ruby | rb/hardcoded-data-interpreted-as-code | Hard-coded data interpreted as code |
CWE‑912 | Ruby | rb/http-to-file-access | Network data written to file |
CWE‑913 | C# | cs/code-injection | Improper control of generation of code |
CWE‑913 | C# | cs/deserialized-delegate | Deserialized delegate |
CWE‑913 | C# | cs/unsafe-deserialization | Unsafe deserializer |
CWE‑913 | C# | cs/unsafe-deserialization-untrusted-input | Deserialization of untrusted data |
CWE‑913 | Go | go/unsafe-quoting | Potentially unsafe quoting |
CWE‑913 | Java | java/android/arbitrary-apk-installation | Android APK installation |
CWE‑913 | Java | java/groovy-injection | Groovy Language injection |
CWE‑913 | Java | java/insecure-bean-validation | Insecure Bean Validation |
CWE‑913 | Java | java/jexl-expression-injection | Expression language injection (JEXL) |
CWE‑913 | Java | java/mvel-expression-injection | Expression language injection (MVEL) |
CWE‑913 | Java | java/spel-expression-injection | Expression language injection (Spring) |
CWE‑913 | Java | java/server-side-template-injection | Server-side template injection |
CWE‑913 | Java | java/android/fragment-injection | Android fragment injection |
CWE‑913 | Java | java/android/fragment-injection-preference-activity | Android fragment injection in PreferenceActivity |
CWE‑913 | Java | java/unsafe-deserialization | Deserialization of user-controlled data |
CWE‑913 | Java | java/log4j-injection | Potential Log4J LDAP JNDI injection (CVE-2021-44228) |
CWE‑913 | Java | java/beanshell-injection | BeanShell injection |
CWE‑913 | Java | java/android-insecure-dex-loading | Insecure loading of an Android Dex File |
CWE‑913 | Java | java/jshell-injection | JShell injection |
CWE‑913 | Java | java/javaee-expression-injection | Jakarta Expression Language injection |
CWE‑913 | Java | java/jython-injection | Injection in Jython |
CWE‑913 | Java | java/unsafe-eval | Injection in Java Script Engine |
CWE‑913 | Java | java/spring-view-manipulation-implicit | Spring Implicit View Manipulation |
CWE‑913 | Java | java/spring-view-manipulation | Spring View Manipulation |
CWE‑913 | Java | java/unsafe-reflection | Use of externally-controlled input to select classes or code ('unsafe reflection') |
CWE‑913 | Java | java/unsafe-deserialization-rmi | Unsafe deserialization in a remotely callable method. |
CWE‑913 | Java | java/unsafe-deserialization-spring-exporter-in-configuration-class | Unsafe deserialization with Spring's remote service exporters. |
CWE‑913 | Java | java/unsafe-deserialization-spring-exporter-in-xml-configuration | Unsafe deserialization with Spring's remote service exporters. |
CWE‑913 | JavaScript | js/enabling-electron-renderer-node-integration | Enabling Node.js integration for Electron web content renderers |
CWE‑913 | JavaScript | js/template-object-injection | Template Object Injection |
CWE‑913 | JavaScript | js/code-injection | Code injection |
CWE‑913 | JavaScript | js/actions/command-injection | Expression injection in Actions |
CWE‑913 | JavaScript | js/bad-code-sanitization | Improper code sanitization |
CWE‑913 | JavaScript | js/unsafe-code-construction | Unsafe code constructed from library input |
CWE‑913 | JavaScript | js/unsafe-dynamic-method-access | Unsafe dynamic method access |
CWE‑913 | JavaScript | js/unsafe-deserialization | Deserialization of user-controlled data |
CWE‑913 | JavaScript | js/prototype-polluting-assignment | Prototype-polluting assignment |
CWE‑913 | JavaScript | js/prototype-pollution-utility | Prototype-polluting function |
CWE‑913 | JavaScript | js/prototype-pollution | Prototype-polluting merge call |
CWE‑913 | JavaScript | js/actions/pull-request-target | Checkout of untrusted code in trusted context |
CWE‑913 | JavaScript | js/code-injection-more-sources | Code injection with additional heuristic sources |
CWE‑913 | JavaScript | js/unsafe-deserialization-more-sources | Deserialization of user-controlled data with additional heuristic sources |
CWE‑913 | JavaScript | js/prototype-polluting-assignment-more-sources | Prototype-polluting assignment with additional heuristic sources |
CWE‑913 | Python | py/code-injection | Code injection |
CWE‑913 | Python | py/unsafe-deserialization | Deserialization of user-controlled data |
CWE‑913 | Ruby | rb/server-side-template-injection | Server-side template injection |
CWE‑913 | Ruby | rb/code-injection | Code injection |
CWE‑913 | Ruby | rb/unsafe-code-construction | Unsafe code constructed from library input |
CWE‑913 | Ruby | rb/unsafe-deserialization | Deserialization of user-controlled data |
CWE‑913 | Swift | swift/unsafe-webview-fetch | Unsafe WebView fetch |
CWE‑913 | Swift | swift/unsafe-js-eval | JavaScript Injection |
CWE‑915 | JavaScript | js/prototype-polluting-assignment | Prototype-polluting assignment |
CWE‑915 | JavaScript | js/prototype-pollution-utility | Prototype-polluting function |
CWE‑915 | JavaScript | js/prototype-pollution | Prototype-polluting merge call |
CWE‑915 | JavaScript | js/prototype-polluting-assignment-more-sources | Prototype-polluting assignment with additional heuristic sources |
CWE‑916 | Java | java/hash-without-salt | Use of a hash function without a salt |
CWE‑916 | JavaScript | js/insufficient-password-hash | Use of password hash with insufficient computational effort |
CWE‑916 | Python | py/weak-sensitive-data-hashing | Use of a broken or weak cryptographic hashing algorithm on sensitive data |
CWE‑916 | Swift | swift/constant-salt | Use of constant salts |
CWE‑916 | Swift | swift/insufficient-hash-iterations | Insufficient hash iterations |
CWE‑917 | Java | java/ognl-injection | OGNL Expression Language statement with user-controlled input |
CWE‑918 | C# | cs/request-forgery | Server-side request forgery |
CWE‑918 | Go | go/request-forgery | Uncontrolled data used in network request |
CWE‑918 | Go | go/ssrf | Uncontrolled data used in network request |
CWE‑918 | Java | java/ssrf | Server-side request forgery |
CWE‑918 | JavaScript | js/client-side-request-forgery | Client-side request forgery |
CWE‑918 | JavaScript | js/request-forgery | Server-side request forgery |
CWE‑918 | JavaScript | javascript/ssrf | Uncontrolled data used in network request |
CWE‑918 | Python | py/full-ssrf | Full server-side request forgery |
CWE‑918 | Python | py/partial-ssrf | Partial server-side request forgery |
CWE‑918 | Ruby | rb/request-forgery | Server-side request forgery |
CWE‑922 | C++ | cpp/cleartext-storage-buffer | Cleartext storage of sensitive information in buffer |
CWE‑922 | C++ | cpp/cleartext-storage-file | Cleartext storage of sensitive information in file |
CWE‑922 | C++ | cpp/cleartext-storage-database | Cleartext storage of sensitive information in an SQLite database |
CWE‑922 | C# | cs/password-in-configuration | Password in configuration file |
CWE‑922 | C# | cs/cleartext-storage-of-sensitive-information | Clear text storage of sensitive information |
CWE‑922 | Go | go/clear-text-logging | Clear-text logging of sensitive information |
CWE‑922 | Java | java/android/backup-enabled | Application backup allowed |
CWE‑922 | Java | java/android/cleartext-storage-database | Cleartext storage of sensitive information using a local database on Android |
CWE‑922 | Java | java/android/cleartext-storage-filesystem | Cleartext storage of sensitive information in the Android filesystem |
CWE‑922 | Java | java/cleartext-storage-in-class | Cleartext storage of sensitive information using storable class |
CWE‑922 | Java | java/cleartext-storage-in-cookie | Cleartext storage of sensitive information in cookie |
CWE‑922 | Java | java/cleartext-storage-in-properties | Cleartext storage of sensitive information using 'Properties' class |
CWE‑922 | Java | java/android/cleartext-storage-shared-prefs | Cleartext storage of sensitive information using SharedPreferences on Android |
CWE‑922 | JavaScript | js/build-artifact-leak | Storage of sensitive information in build artifact |
CWE‑922 | JavaScript | js/clear-text-logging | Clear-text logging of sensitive information |
CWE‑922 | JavaScript | js/clear-text-storage-of-sensitive-data | Clear text storage of sensitive information |
CWE‑922 | JavaScript | js/password-in-configuration-file | Password in configuration file |
CWE‑922 | JavaScript | js/clear-text-cookie | Clear text transmission of sensitive cookie |
CWE‑922 | Python | py/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑922 | Python | py/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑922 | Ruby | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑922 | Ruby | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑922 | Swift | swift/cleartext-storage-database | Cleartext storage of sensitive information in a local database |
CWE‑922 | Swift | swift/cleartext-logging | Cleartext logging of sensitive information |
CWE‑922 | Swift | swift/cleartext-storage-preferences | Cleartext storage of sensitive information in an application preference store |
CWE‑923 | C# | cs/user-controlled-bypass | User-controlled bypass of sensitive method |
CWE‑923 | Go | go/insecure-hostkeycallback | Use of insecure HostKeyCallback implementation |
CWE‑923 | Go | go/sensitive-condition-bypass | User-controlled bypassing of sensitive action |
CWE‑923 | Java | java/insecure-smtp-ssl | Insecure JavaMail SSL Configuration |
CWE‑923 | Java | java/unsafe-hostname-verification | Unsafe hostname verification |
CWE‑923 | Java | java/socket-auth-race-condition | Race condition in socket authentication |
CWE‑923 | Java | java/maven/non-https-url | Failure to use HTTPS or SFTP URL in Maven artifact upload/download |
CWE‑923 | Java | java/improper-intent-verification | Improper verification of intent by broadcast receiver |
CWE‑923 | Java | java/android/intent-redirection | Android Intent redirection |
CWE‑923 | Java | java/ignored-hostname-verification | Ignored result of hostname verification |
CWE‑923 | Java | java/insecure-ldaps-endpoint | Insecure LDAPS Endpoint Configuration |
CWE‑923 | JavaScript | js/missing-origin-check | Missing origin verification in postMessage handler |
CWE‑923 | JavaScript | js/disabling-certificate-validation | Disabling certificate validation |
CWE‑923 | JavaScript | js/insecure-dependency | Dependency download using unencrypted communication channel |
CWE‑923 | Ruby | rb/insecure-dependency | Dependency download using unencrypted communication channel |
CWE‑925 | Java | java/improper-intent-verification | Improper verification of intent by broadcast receiver |
CWE‑926 | Java | java/android/intent-uri-permission-manipulation | Intent URI permission manipulation |
CWE‑926 | Java | java/android/incomplete-provider-permissions | Missing read or write permission in a content provider |
CWE‑926 | Java | java/android/implicitly-exported-component | Implicitly exported Android component |
CWE‑926 | Java | java/android/intent-redirection | Android Intent redirection |
CWE‑927 | Java | java/android/implicit-pendingintents | Use of implicit PendingIntents |
CWE‑927 | Java | java/android/sensitive-communication | Leaking sensitive information through an implicit Intent |
CWE‑927 | Java | java/android/sensitive-result-receiver | Leaking sensitive information through a ResultReceiver |
CWE‑939 | Java | java/incorrect-url-verification | Incorrect URL verification |
CWE‑940 | Java | java/android/intent-redirection | Android Intent redirection |
CWE‑940 | JavaScript | js/missing-origin-check | Missing origin verification in postMessage handler |
CWE‑942 | Go | go/cors-misconfiguration | CORS misconfiguration |
CWE‑942 | JavaScript | js/cors-misconfiguration-for-credentials | CORS misconfiguration for credentials transfer |
CWE‑942 | JavaScript | js/cors-misconfiguration-for-credentials-more-sources | CORS misconfiguration for credentials transfer with additional heuristic sources |
CWE‑943 | C++ | cpp/sql-injection | Uncontrolled data in SQL query |
CWE‑943 | C# | cs/second-order-sql-injection | SQL query built from stored user-controlled sources |
CWE‑943 | C# | cs/sql-injection | SQL query built from user-controlled sources |
CWE‑943 | C# | cs/ldap-injection | LDAP query built from user-controlled sources |
CWE‑943 | C# | cs/stored-ldap-injection | LDAP query built from stored user-controlled sources |
CWE‑943 | C# | cs/xml/stored-xpath-injection | Stored XPath injection |
CWE‑943 | C# | cs/xml/xpath-injection | XPath injection |
CWE‑943 | Go | go/sql-injection | Database query built from user-controlled sources |
CWE‑943 | Go | go/unsafe-quoting | Potentially unsafe quoting |
CWE‑943 | Go | go/xml/xpath-injection | XPath injection |
CWE‑943 | Go | go/ldap-injection | LDAP query built from user-controlled sources |
CWE‑943 | Java | java/concatenated-sql-query | Query built by concatenation with a possibly-untrusted string |
CWE‑943 | Java | java/sql-injection | Query built from user-controlled sources |
CWE‑943 | Java | java/sql-injection-local | Query built from local-user-controlled sources |
CWE‑943 | Java | java/ldap-injection | LDAP query built from user-controlled sources |
CWE‑943 | Java | java/xml/xpath-injection | XPath injection |
CWE‑943 | Java | java/mybatis-annotation-sql-injection | SQL injection in MyBatis annotation |
CWE‑943 | Java | java/mybatis-xml-sql-injection | SQL injection in MyBatis Mapper XML |
CWE‑943 | Java | java/xquery-injection | XQuery query built from user-controlled sources |
CWE‑943 | JavaScript | js/sql-injection | Database query built from user-controlled sources |
CWE‑943 | JavaScript | js/xpath-injection | XPath injection |
CWE‑943 | JavaScript | js/sql-injection-more-sources | Database query built from user-controlled sources with additional heuristic sources |
CWE‑943 | JavaScript | js/xpath-injection-more-sources | XPath injection with additional heuristic sources |
CWE‑943 | Python | py/sql-injection | SQL query built from user-controlled sources |
CWE‑943 | Python | py/ldap-injection | LDAP query built from user-controlled sources |
CWE‑943 | Python | py/xpath-injection | XPath query built from user-controlled sources |
CWE‑943 | Python | py/xslt-injection | XSLT query built from user-controlled sources |
CWE‑943 | Python | py/nosql-injection | NoSQL Injection |
CWE‑943 | Ruby | rb/ldap-injection | LDAP Injection |
CWE‑943 | Ruby | rb/xpath-injection | XPath query built from user-controlled sources |
CWE‑943 | Ruby | rb/sql-injection | SQL query built from user-controlled sources |
CWE‑943 | Swift | swift/sql-injection | Database query built from user-controlled sources |
CWE‑943 | Swift | swift/predicate-injection | Predicate built from user-controlled sources |
CWE‑1004 | C# | cs/web/cookie-httponly-not-set | 'HttpOnly' attribute is not set to true |
CWE‑1004 | Go | go/cookie-httponly-not-set | 'HttpOnly' attribute is not set to true |
CWE‑1004 | Java | java/tomcat-disabled-httponly | Tomcat config disables 'HttpOnly' flag (XSS risk) |
CWE‑1004 | Java | java/sensitive-cookie-not-httponly | Sensitive cookies without the HttpOnly response header set |
CWE‑1004 | JavaScript | js/client-exposed-cookie | Sensitive server cookie exposed to the client |
CWE‑1022 | JavaScript | js/unsafe-external-link | Potentially unsafe external link |
CWE‑1041 | C++ | cpp/call-to-function-without-wrapper | Missed opportunity to call wrapper function |
CWE‑1078 | C++ | cpp/comma-before-misleading-indentation | Comma before misleading indentation |
CWE‑1104 | Java | java/maven/dependency-upon-bintray | Depending upon JCenter/Bintray as an artifact repository |
CWE‑1126 | C++ | cpp/errors-when-using-variable-declaration-inside-loop | Errors When Using Variable Declaration Inside Loop |
CWE‑1176 | JavaScript | js/angular/double-compilation | Double compilation |
CWE‑1204 | Java | java/static-initialization-vector | Using a static initialization vector for encryption |
CWE‑1204 | Swift | swift/static-initialization-vector | Static initialization vector for encryption |
CWE‑1236 | Python | py/csv-injection | Csv Injection |
CWE‑1275 | JavaScript | js/samesite-none-cookie | Sensitive cookie without SameSite restrictions |
CWE‑1275 | Ruby | rb/weak-cookie-configuration | Weak cookie configuration |
CWE‑1333 | C# | cs/redos | Denial of Service from comparison of user input against expensive regex |
CWE‑1333 | Java | java/polynomial-redos | Polynomial regular expression used on uncontrolled data |
CWE‑1333 | Java | java/redos | Inefficient regular expression |
CWE‑1333 | JavaScript | js/polynomial-redos | Polynomial regular expression used on uncontrolled data |
CWE‑1333 | JavaScript | js/redos | Inefficient regular expression |
CWE‑1333 | Python | py/polynomial-redos | Polynomial regular expression used on uncontrolled data |
CWE‑1333 | Python | py/redos | Inefficient regular expression |
CWE‑1333 | Ruby | rb/polynomial-redos | Polynomial regular expression used on uncontrolled data |
CWE‑1333 | Ruby | rb/redos | Inefficient regular expression |
CWE‑1333 | Ruby | rb/regexp-injection | Regular expression injection |
CWE‑1333 | Swift | swift/redos | Inefficient regular expression |
CWE‑1336 | Java | java/server-side-template-injection | Server-side template injection |